Bug 247864

Summary: nvram sysfs attribute violates read() semantics
Product: Red Hat Enterprise Linux 5 Reporter: Bryn M. Reeves <bmr>
Component: kernelAssignee: Bryn M. Reeves <bmr>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: bmr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-02 13:18:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bryn M. Reeves 2007-07-11 19:18:44 UTC
Description of problem:
Current development version of udevinfo seems to have a stack buffer overflow:

# udevinfo -ap /block/sdb &> udevinfo.out
*** stack smashing detected ***: udevinfo terminated
Aborted (core dumped)

Version-Release number of selected component (if applicable):

How reproducible:
100% on this system

Steps to Reproduce:
1. Run "udevinfo -ap" on an entry in /sys/block, e.g.:
# udevinfo -ap /block/sdb
Actual results:

Expected results:
*** stack smashing detected ***: udevinfo terminated
Aborted (core dumped)

Additional info:
Always seems to die at:

  looking at parent device

Comment 1 Bryn M. Reeves 2007-07-11 19:22:55 UTC
#0  0x00002aaaab154045 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00002aaaab154045 in raise () from /lib64/libc.so.6
#1  0x00002aaaab155ae0 in abort () from /lib64/libc.so.6
#2  0x00002aaaab18c1bb in __libc_message () from /lib64/libc.so.6
#3  0x00002aaaab2071df in __stack_chk_fail () from /lib64/libc.so.6
#4  0x0000555555558f12 in sysfs_attr_get_value (
    devpath=0x8 <Address 0x8 out of bounds>, attr_name=0x55556e446140 "�_DnUU")
    at udev_sysfs.c:399
#5  0x0000000000000000 in ?? ()

Comment 2 Bryn M. Reeves 2007-07-11 20:13:12 UTC
Sorry Harald - this is the kernel's doing, not udev:

read(8, "ISP \1\0\1\0\6\244\0\10\0\1\0\1\10\1!\0\0\340\213\217#"..., 128) = 256
close(8)                                = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = 8

Comment 3 Bryn M. Reeves 2007-07-11 20:14:56 UTC
Attempting to read 128 bytes from this attribute:


Actually reads 256 bytes into the buffer in userspace. Oops:

read(8, "ISP \1\0\1\0\6\244\0\10\0\1\0\1\10\1!\0\0\340\213\217#"..., 128) = 256

Comment 4 Bryn M. Reeves 2007-07-11 20:15:32 UTC
Seeing this on 2.6.18-32.el5 x86_64

Comment 5 Bryn M. Reeves 2007-07-11 20:34:03 UTC
Bug still upstream:

commit 459c537807bd72cce7b007fb218bb5a658a6c3c1
Author: Andrew Vasquez <andrew.vasquez@qlogic.com>
Date:   Wed Jul 6 10:31:07 2005 -0700

    [SCSI] qla2xxx: Add ISP24xx flash-manipulation routines.
    Add ISP24xx flash-manipulation routines.
    Add read/write flash manipulation routines for the ISP24xx.
    Update sysfs NVRAM objects to use generalized accessor
    Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
    Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

Comment 7 Harald Hoyer 2007-07-13 10:04:37 UTC
then reassign to kernel

Comment 8 Bryn M. Reeves 2007-07-17 15:12:14 UTC
weird - I had, but for some reason bugzilla decided to ignore that

Comment 10 RHEL Product and Program Management 2014-03-07 13:44:16 UTC
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.

Comment 11 RHEL Product and Program Management 2014-06-02 13:18:40 UTC
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).