dmalloc stack overflow

[drok]

When running the unit test base.buffer.kitchen-sink.test with dmalloc 5.5.2 and cmocka 1.0.1, the following stack overflow happens when the test ends:

__kernel_vsyscall () at null:
raise () at null:
abort () at null:
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:657
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffcbb8 \"\\304\\263\\362\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffd3c8 \"\\304\\263\\362\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffdbd8 \"\\304\\263\\362\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\", args=0xbfffe3e8 \"\\304\\263\\362\\267mx\\376\\267\\304\\357\\377\\267D\\351\\377\\277\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xb7f9e140 \"debug-malloc library: halting program, fatal error\\r\\n\", buf_size=1024, format=0xb7f2b484 \"debug-malloc library: %s program, fatal error\\r\\n\") at /tmp/dmalloc/compat.c:171
_dmalloc_die (silent_b=0) at /tmp/dmalloc/error.c:635
dmalloc_in (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, check_heap_b=1) at /tmp/dmalloc/malloc.c:510
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:965
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
vsnprintf () at null:
loc_vsnprintf (buf=0xbfffed00 \"ra=0xb7dc880e\", buf_size=164, format=0xb7f2ac28 \"ra=%#lx\", args=0xbfffebf8 \"\\016\\210\\334\\267\") at /tmp/dmalloc/compat.c:143
loc_snprintf (buf=0xbfffed00 \"ra=0xb7dc880e\", buf_size=164, format=0xb7f2ac28 \"ra=%#lx\") at /tmp/dmalloc/compat.c:171
_dmalloc_chunk_desc_pnt (buf=0xbfffed00 \"ra=0xb7dc880e\", buf_size=164, file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0) at /tmp/dmalloc/chunk.c:1935
_dmalloc_chunk_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, user_pnt=0x0, func_id=17) at /tmp/dmalloc/chunk.c:2550
dmalloc_free (file=0xb7dc880e \"\\213\\215l\\373\\377\\377\\211\\f$\\350\\270b\\375\\377f\\203>\", line=0, pnt=0x0, func_id=17) at /tmp/dmalloc/malloc.c:974
free (pnt=0x0) at /tmp/dmalloc/malloc.c:1368
vfprintf () at null:
__vsnprintf_chk () at null:
vprint_message () at null:
print_message () at null:
_cmocka_run_group_tests () at null:
main (argc=2, argv=0xbffffb54) at u:\proj/openvpn/tests/unit/buffer/test.c:421

In order to get _dmalloc_die to stop looping, I instrumented it to detect loops and abort after the 4th loop:

diff --git a/error.c b/error.c
index 86a3fbe..c87e5b6 100644
--- a/error.c
+++ b/error.c
@@ -619,7 +619,10 @@ void       _dmalloc_die(const int silent_b)
 {
   char *stop_str;
   int  len;
-
+       static loop_detect = 0;
+       if (++loop_detect > 4)
+                abort();
+
   if (! silent_b) {
     if (BIT_IS_SET(_dmalloc_flags, DEBUG_ERROR_ABORT)) {
       stop_str = "dumping";

The host OS is CentOS6 32 bit with the following libc* :

vzdummy-glibc-2.12-1.7.el6.noarch
libcmocka-devel-1.0.1-1.el6.i686
glibc-2.12-1.209.el6_9.2.i686
glibc-common-2.12-1.209.el6_9.2.i686
libcmocka-1.0.1-1.el6.i686
libcgroup-0.40.rc1-24.el6_9.i686
glibc-devel-2.12-1.209.el6_9.2.i686

[drok]

Reported to upstream dmalloc project as j256/dmalloc#4

[j256]

This has been hopefully fixed with a impl of snprintf: https://github.com/j256/dmalloc/commit/313cd9581cf8a1c3cac76354662bf2eaa529ced1