I accidentally ran into this while grepping a kernel tree for the string 'all rights reserved':

$ cat /etc/redhat-release CentOS release 4.4 (Final) $ uname -m i686 $ rpm -q grep grep-2.5.1-32.2 $ wget http://www.few.vu.nl/~buytenh/zImage.grep.heap.corruption $ grep -i "all rights reserved" zImage.grep.heap.corruption *** glibc detected *** free(): invalid next size (normal): 0x08c8a168 *** Aborted $

Backtrace looks somewhat like this: #0 0x00abc7a2 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2 #1 0x00afc7a5 in raise () from /lib/tls/libc.so.6 #2 0x00afe209 in abort () from /lib/tls/libc.so.6 #3 0x00b3071a in __libc_message () from /lib/tls/libc.so.6 #4 0x00b36fbf in _int_free () from /lib/tls/libc.so.6 #5 0x00b3733a in free () from /lib/tls/libc.so.6 #6 0x00b7ece0 in re_search_internal () from /lib/tls/libc.so.6 #7 0x00b811b3 in re_search_stub () from /lib/tls/libc.so.6 #8 0x00b81623 in re_search () from /lib/tls/libc.so.6 #9 0x080546df in ?? () #10 0x090cc970 in ?? () #11 0x090d4e15 in ?? () #12 0x00000450 in ?? () #13 0x00000000 in ?? ()

- I can reproduce this on three different CentOS 4.4 x86 installs. - It doesn't happen on x86_64 CentOS 4.4, nor on x86 FC6. - It doesn't trigger if you search without '-i'. - It doesn't trigger with any random search string. - There seems to be something special about the length of the string, as I can also trigger it with a 19-byte (same length) string of just a's, but not with a 18 byte or 20 byte string.

$ grep -i "aaaaaaaaaaaaaaaaaaa" zImage.grep.heap.corruption *** glibc detected *** free(): invalid next size (normal): 0x09651f50 *** Aborted

Can anyone else reproduce this as well?