Bug 133482
Summary: | segfault with 'ifconfig' | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Enrico Scholz <rh-bugzilla> | ||||
Component: | glibc | Assignee: | Jakub Jelinek <jakub> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | drepper | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-09-29 01:47:56 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 123268, 133652 | ||||||
Attachments: |
|
Description
Enrico Scholz
2004-09-24 11:51:54 UTC
afais, 'i' will never be increased in the related | 1559 for (i = 0, q = p; q != NULL; ++i, last = q, q = q->ai_next) loop. So the | 1572 memcpy (&results[i].source_addr, &results[i - 1].source_addr, | 1573 results[i - 1].source_addr_len); operation will be called with i==0 and 'result[-1]' be accessed. forgot last comment; I missed the '++i'. But gdb shows that 'i' stays at '0'. valgrind says (both on working and non-working machines): # valgrind --tool=memcheck ifconfig ==9706== Conditional jump or move depends on uninitialised value(s) ==9706== at 0x1B9DA9C9: getaddrinfo (getaddrinfo.c:1572) ==9706== by 0x804CA12: (within /sbin/ifconfig) ==9706== by 0x804ED88: (within /sbin/ifconfig) ==9706== by 0x804FA71: (within /sbin/ifconfig) ==9706== ==9706== Use of uninitialised value of size 4 ==9706== at 0x1B9DA9E2: getaddrinfo (getaddrinfo.c:1572) ==9706== by 0x804CA12: (within /sbin/ifconfig) ==9706== by 0x804ED88: (within /sbin/ifconfig) ==9706== by 0x804FA71: (within /sbin/ifconfig) When line 1579 | int fd = __socket (q->ai_family, SOCK_DGRAM, IPPROTO_IP); or (more likely) line 1583 | if (__connect (fd, q->ai_addr, q->ai_addrlen) == 0 fails, 'result[i].source_addr_len' will not be initialized and | memcpy (&results[i].source_addr, &results[i - 1].source_addr, | results[i - 1].source_addr_len); in the next loop will use uninitialized data. Created attachment 104317 [details]
prevent copying uninitialized memory
This patch should avoid the copying of uninitialized memory (and possibly
buffer overflows). But I still se uninitialized memory reads in valgrind, but
they are reported in ifconfig itself.
Actually, the fix is enough for the valgrind messages in ifconfig. What I saw was just valgrind not being able to cope with ld.so being used as a program. The bug can be closed once we have a new glbic binary with the patch. Fixed in current rawhide. |