[systemd-devel] timedatectl regression in 218: crash with Etc/UTC

Martin Pitt martin.pitt at ubuntu.com
Mon Dec 15 03:50:32 PST 2014 

Hey Tom, all,

with systemd 218 our integration tests picked out a regression with
timedatectl: just calling it without any arguments crashes with

  *** Error in `./timedatectl': free(): invalid next size (fast): 0xf8cce8d8 ***

I only get this crash on i386 (32 bit), not x86_64. It also only
happens with /etc/timezone having Etc/UTC, other time zones like
Europe/Berlin work. Presumably because Etc/UTC does not have any DST
rules.

Back trace, with details from the interesting frame:

#0  0xf7fd9ca0 in __kernel_vsyscall ()
#1  0xf7e2b607 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xf7e2cd83 in __GI_abort () at abort.c:89
#3  0xf7e6a9e3 in __libc_message (do_abort=do_abort at entry=1, fmt=fmt at entry=0xf7f628fc "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#4  0xf7e70b0a in malloc_printerr (action=<optimized out>, str=0xf7f62a9c "free(): invalid next size (fast)", ptr=0x565b98d8)
    at malloc.c:4996
#5  0xf7e71765 in _int_free (av=0xf7fa7420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3840
#6  0x5659b613 in freep (p=0xffffd6c8) at src/shared/util.h:659
#7  0x5659c185 in time_get_dst (date=1418644009, tzfile=0x5659e9ee "/etc/localtime", switch_cur=0xffffd81c, zone_cur=0xffffd810, 
    dst_cur=0xffffd809, switch_next=0xffffd824, delta_next=0xffffd820, zone_next=0xffffd814, dst_next=0xffffd80a)
    at src/shared/time-dst.c:104
    at src/shared/time-dst.c:104
        type_idxs = 0x565b98d8 ""
        num_types = 1
        types = 0x565b98d8
        zone_names = 0x565b98e0 "UTC"
        st = {st_dev = 40, __pad1 = 348, __st_ino = 351284, st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0, 
          __pad2 = 4, st_size = 118, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1418641254, tv_nsec = 924653672}, 
          st_mtim = {tv_sec = 1418641254, tv_nsec = 920653672}, st_ctim = {tv_sec = 1418641254, tv_nsec = 920653672}, 
          st_ino = 351284}
        num_isstd = 1
        num_isgmt = 1
        tzhead = {tzh_magic = "TZif", tzh_version = "2", tzh_reserved = '\000' <repeats 14 times>, 
          tzh_ttisgmtcnt = "\000\000\000\001", tzh_ttisstdcnt = "\000\000\000\001", tzh_leapcnt = "\000\000\000", 
          tzh_timecnt = "\000\000\000", tzh_typecnt = "\000\000\000\001", tzh_charcnt = "\000\000\000\004"}
        chars = 4
        i = 1
        total_size = 12
        types_idx = 0
        trans_width = 4
        tzspec_len = 0
        num_leaps = 0
        lo = 4294956851
        hi = 1
        num_transitions = 0
        transitions = 0x565b98d8
        f = 0x565b9970
#8  0x5655965b in print_status_info (i=0xffffd924) at src/timedate/timedatectl.c:167
#9  0x56559ae9 in show_status (bus=0x565b8008, args=0xffffdaa8, n=0) at src/timedate/timedatectl.c:239
#10 0x5655aa8b in timedatectl_main (bus=0x565b8008, argc=1, argv=0xffffdaa4) at src/timedate/timedatectl.c:542
#11 0x5655aba7 in main (argc=1, argv=0xffffdaa4) at src/timedate/timedatectl.c:563

I bisected this to commit 681f9718c "shared: time-dst - ensure nulstr is null
terminated", reverting it fixes the crash.

+        zone_names[chars] = '\0';

At first sight this smells like writing one past the array boundary,
if chars is the length of a string.

Was there some actual visible bug before this?

Thanks!

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

More information about the systemd-devel mailing list