https://bugs.openldap.org/show_bug.cgi?id=10198
Issue ID: 10198 Summary: Crash in mdb_strerr on Windows Product: LMDB Version: unspecified Hardware: All OS: Windows Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: liblmdb Assignee: bugs@openldap.org Reporter: b.koch@beckhoff.com Target Milestone: ---
The call to FormatMessageA in mdb_strerr crashes on Windows 10 for error code 112 (disk full).
Its "Arguments" parameter is an invalid pointer. The documentation says that the parameter should be ignored because of FORMAT_MESSAGE_IGNORE_INSERTS but my copy of Windows disagrees. Documentation for FormatMessageA: https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-forma...
The error is (with addresses replaced by <...>): Exception thrown at <RtlFormatMessageEx> (ntdll.dll) in ConsoleApplication1.exe: 0xC0000005: Access violation reading location <buf+8*1024>.
Trivial fix: Change the last parameter to NULL (in this call: https://github.com/LMDB/lmdb/blob/8645e92b937794c06f0c66dfae64e425a085b6cd/l...)
Bug 8361 is raising some additional issues in this code and it implies that the va_list is somehow related to the padding hack (but I don't understand how that is, to be honest), so I'm not sure whether the trivial fix would be fine.
Here is some code to reproduce the crash outside of liblmdb (tested with Visual Studio 2022, x86 and x64, C++ console project):
#include <iostream> #include <windows.h>
int main() { std::cout << "Hello World!\n";
char buf[1024]; FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, 112, 0, buf, sizeof(buf), (va_list*)buf + 1024); char* msg = buf; std::cout << msg; }
https://bugs.openldap.org/show_bug.cgi?id=10198
Benjamin Koch b.koch@beckhoff.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Hardware|All |x86_64
https://bugs.openldap.org/show_bug.cgi?id=10198
--- Comment #1 from Benjamin Koch b.koch@beckhoff.com --- I think this mostly affects x64 (x86_64). My test program crashes for both but its buffer doesn't have the same padding. "sizeof(va_list)" is 4 bytes on 32-bit ("x86", i386), so the pointer falls within the padded buffer (5 KiB). It is 8 bytes on x64, so the pointer is outside of the buffer and exactly where the access violation is reported.
I have seen the real crash in LMDB only with x64 because my program won't fit into 32-bit address space, i.e. I cannot (easily) test this with 32-bit.
(The crash isn't completely reliable. My test program usually crashes but not always. It seems to be fine if I add enough padding. That's why I think that 32-bit might not see the crash. However, I cannot really be sure that it wouldn't crash if the previous contents of the uninitialized buffer were just right.)
https://bugs.openldap.org/show_bug.cgi?id=10198
--- Comment #2 from Howard Chu hyc@openldap.org --- I'm traveling at the moment and it's not convenient for me to spin up a Windows VM to check this right now, but changing the last argument to NULL looks like a perfectly good fix so far. Will check later.
https://bugs.openldap.org/show_bug.cgi?id=10198
--- Comment #3 from Howard Chu hyc@openldap.org --- Your test program isn't a valid test because the pointer you're passing is actually not pointing to any valid memory, whereas the LMDB code is pointing to a properly allocated stack buffer.
Regardless, that parameter really isn't needed, and should just be NULL.
https://bugs.openldap.org/show_bug.cgi?id=10198
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #4 from Howard Chu hyc@openldap.org --- fixed in git
https://bugs.openldap.org/show_bug.cgi?id=10198
--- Comment #5 from Benjamin Koch b.koch@beckhoff.com --- Thanks :-)
Yes, you are right: My test program isn't valid. I was just lucky to reproduce the same crash with that. The compiler was free to rewrite it to anything due to undefined behaviour.
https://bugs.openldap.org/show_bug.cgi?id=10198
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |0.9.33 Keywords|needs_review | Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=10198
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
https://bugs.openldap.org/show_bug.cgi?id=10198
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- head:
d3ae7c36 by Howard Chu at 2024-04-04T07:17:35+01:00
https://bugs.openldap.org/show_bug.cgi?id=10198
--- Comment #7 from Quanah Gibson-Mount quanah@openldap.org --- err, that should be re09
-
openldap-its@openldap.org