[systemd-devel] timedatectl regression in 218: crash with Etc/UTC
Martin Pitt
martin.pitt at ubuntu.com
Mon Dec 15 03:50:32 PST 2014
Hey Tom, all,
with systemd 218 our integration tests picked out a regression with
timedatectl: just calling it without any arguments crashes with
*** Error in `./timedatectl': free(): invalid next size (fast): 0xf8cce8d8 ***
I only get this crash on i386 (32 bit), not x86_64. It also only
happens with /etc/timezone having Etc/UTC, other time zones like
Europe/Berlin work. Presumably because Etc/UTC does not have any DST
rules.
Back trace, with details from the interesting frame:
#0 0xf7fd9ca0 in __kernel_vsyscall ()
#1 0xf7e2b607 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xf7e2cd83 in __GI_abort () at abort.c:89
#3 0xf7e6a9e3 in __libc_message (do_abort=do_abort at entry=1, fmt=fmt at entry=0xf7f628fc "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#4 0xf7e70b0a in malloc_printerr (action=<optimized out>, str=0xf7f62a9c "free(): invalid next size (fast)", ptr=0x565b98d8)
at malloc.c:4996
#5 0xf7e71765 in _int_free (av=0xf7fa7420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3840
#6 0x5659b613 in freep (p=0xffffd6c8) at src/shared/util.h:659
#7 0x5659c185 in time_get_dst (date=1418644009, tzfile=0x5659e9ee "/etc/localtime", switch_cur=0xffffd81c, zone_cur=0xffffd810,
dst_cur=0xffffd809, switch_next=0xffffd824, delta_next=0xffffd820, zone_next=0xffffd814, dst_next=0xffffd80a)
at src/shared/time-dst.c:104
at src/shared/time-dst.c:104
type_idxs = 0x565b98d8 ""
num_types = 1
types = 0x565b98d8
zone_names = 0x565b98e0 "UTC"
st = {st_dev = 40, __pad1 = 348, __st_ino = 351284, st_mode = 33188, st_nlink = 1, st_uid = 0, st_gid = 0, st_rdev = 0,
__pad2 = 4, st_size = 118, st_blksize = 4096, st_blocks = 8, st_atim = {tv_sec = 1418641254, tv_nsec = 924653672},
st_mtim = {tv_sec = 1418641254, tv_nsec = 920653672}, st_ctim = {tv_sec = 1418641254, tv_nsec = 920653672},
st_ino = 351284}
num_isstd = 1
num_isgmt = 1
tzhead = {tzh_magic = "TZif", tzh_version = "2", tzh_reserved = '\000' <repeats 14 times>,
tzh_ttisgmtcnt = "\000\000\000\001", tzh_ttisstdcnt = "\000\000\000\001", tzh_leapcnt = "\000\000\000",
tzh_timecnt = "\000\000\000", tzh_typecnt = "\000\000\000\001", tzh_charcnt = "\000\000\000\004"}
chars = 4
i = 1
total_size = 12
types_idx = 0
trans_width = 4
tzspec_len = 0
num_leaps = 0
lo = 4294956851
hi = 1
num_transitions = 0
transitions = 0x565b98d8
f = 0x565b9970
#8 0x5655965b in print_status_info (i=0xffffd924) at src/timedate/timedatectl.c:167
#9 0x56559ae9 in show_status (bus=0x565b8008, args=0xffffdaa8, n=0) at src/timedate/timedatectl.c:239
#10 0x5655aa8b in timedatectl_main (bus=0x565b8008, argc=1, argv=0xffffdaa4) at src/timedate/timedatectl.c:542
#11 0x5655aba7 in main (argc=1, argv=0xffffdaa4) at src/timedate/timedatectl.c:563
I bisected this to commit 681f9718c "shared: time-dst - ensure nulstr is null
terminated", reverting it fixes the crash.
+ zone_names[chars] = '\0';
At first sight this smells like writing one past the array boundary,
if chars is the length of a string.
Was there some actual visible bug before this?
Thanks!
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
More information about the systemd-devel
mailing list