Bug 1343809

Summary:

like mdadm --detail --scan causes SIGABRT

Product:

Red Hat Enterprise Linux 6

Reporter:

nikhil kshirsagar <nkshirsa>

Component:

mdadm

Assignee:

Jes Sorensen <Jes.Sorensen>

Status:

CLOSED ERRATA

QA Contact:

guazhang <guazhang>

Severity:

urgent

Docs Contact:

Priority:

urgent

Version:

6.7

CC:

amote, bhu, cww, dledford, Jes.Sorensen, jmagrini, mnavrati, tlavigne, xni, yizhan

Target Milestone:

Keywords:

ZStream

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

mdadm-3.3.4-4.el6

Doc Type:

No Doc Update

Doc Text:

The command "mdadm --detail --scan" will cause an error if the device name that it needs to store is larger than 20 characters. To address this issue, a check was added for the device name length. If a long device name is used, the command will fail and a log message will be generated.

Story Points:

---

Clone Of:

Clones:

1347749 1347808 (view as bug list)

Environment:

Last Closed:

2017-03-21 08:58:22 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1269194, 1346447, 1347749, 1347808

Attachments:

Description	Flags
core	none
mdadm packages installed	none
sosreport	none
logs	none
2nd core	none

Description nikhil kshirsagar 2016-06-08 03:31:54 UTC

Created attachment 1165816 [details]
core

Description of problem:
basic mdadm commands (like mdadm --detail --scan) causes SIGABRT

Version-Release number of selected component (if applicable):
mdadm-3.3.4-1.el6

How reproducible:
No reproducer in-house.



Additional info:

mdadm is segfaulting for commands like mdadm --detail --scan /dev/md0

Here's the valgrind trace I have collected after installing the debuginfo on the customer system.


[root@ocztest ken]# valgrind mdadm --detail --scan /dev/md0
==28382== Memcheck, a memory error detector
==28382== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==28382== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==28382== Command: mdadm --detail --scan /dev/md0
==28382== 
**28382** *** strcpy_chk: buffer overflow detected ***: program terminated
==28382==    at 0x4A0AC53: VALGRIND_PRINTF_BACKTRACE (valgrind.h:4550)
==28382==    by 0x4A0AE10: __strcpy_chk (mc_replace_strmem.c:1192)
==28382==    by 0x44FE58: sysfs_read (string3.h:105)
==28382==    by 0x41CDF9: Detail (Detail.c:106)
==28382==    by 0x405ED2: main (mdadm.c:1747)
==28382== 
==28382== HEAP SUMMARY:
==28382==     in use at exit: 34,170 bytes in 29 blocks
==28382==   total heap usage: 34 allocs, 5 frees, 35,900 bytes allocated
==28382== 
==28382== LEAK SUMMARY:
==28382==    definitely lost: 0 bytes in 0 blocks
==28382==    indirectly lost: 0 bytes in 0 blocks
==28382==      possibly lost: 33,232 bytes in 2 blocks
==28382==    still reachable: 938 bytes in 27 blocks
==28382==         suppressed: 0 bytes in 0 blocks
==28382== Rerun with --leak-check=full to see details of leaked memory
==28382== 
==28382== For counts of detected and suppressed errors, rerun with: -v
==28382== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)

Some extra info I asked them to collect:

[root@ocztest ~]# mdadm -I /dev/md0
mdadm: no recognisable superblock on /dev/md0.
[root@ocztest ~]# 

[root@ocztest dev]# mdadm -vv --detail /dev/md0
*** buffer overflow detected ***: mdadm terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3a93f026d7]
/lib64/libc.so.6[0x3a93f005c0]
mdadm[0x44fe59]
mdadm[0x41cdfa]
mdadm[0x405ed3]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3a93e1ed1d]
mdadm[0x402ce9]
======= Memory map: ========
00400000-0046e000 r-xp 00000000 fd:00 2764808                            /sbin/mdadm
0066e000-00675000 rw-p 0006e000 fd:00 2764808                            /sbin/mdadm
00675000-00688000 rw-p 00000000 00:00 0 
01ece000-01eef000 rw-p 00000000 00:00 0                                  [heap]
3a93a00000-3a93a20000 r-xp 00000000 fd:00 262152                         /lib64/ld-2.12.so
3a93c1f000-3a93c21000 r--p 0001f000 fd:00 262152                         /lib64/ld-2.12.so
3a93c21000-3a93c22000 rw-p 00021000 fd:00 262152                         /lib64/ld-2.12.so
3a93c22000-3a93c23000 rw-p 00000000 00:00 0 
3a93e00000-3a93f8a000 r-xp 00000000 fd:00 262174                         /lib64/libc-2.12.so
3a93f8a000-3a9418a000 ---p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418a000-3a9418e000 r--p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418e000-3a94190000 rw-p 0018e000 fd:00 262174                         /lib64/libc-2.12.so
3a94190000-3a94194000 rw-p 00000000 00:00 0 
3a98a00000-3a98a16000 r-xp 00000000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98a16000-3a98c15000 ---p 00016000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98c15000-3a98c16000 rw-p 00015000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
7f44b0369000-7f44b036c000 rw-p 00000000 00:00 0 
7f44b0383000-7f44b0385000 rw-p 00000000 00:00 0 
7ffc9f708000-7ffc9f71d000 rw-p 00000000 00:00 0                          [stack]
7ffc9f7f2000-7ffc9f7f3000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)
[root@ocztest dev]# 

execve("/sbin/mdadm", ["mdadm", "--detail", "/dev/md0"], [/* 54 vars */]) = 0
brk(0)                                  = 0x88e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff832496000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=94345, ...}) = 0
mmap(NULL, 94345, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff83247e000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\356\341\223:\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1930416, ...}) = 0
mmap(0x3a93e00000, 3750184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a93e00000
mprotect(0x3a93f8a000, 2097152, PROT_NONE) = 0
mmap(0x3a9418a000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18a000) = 0x3a9418a000
mmap(0x3a94190000, 14632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3a94190000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff83247d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff83247c000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff83247b000
arch_prctl(ARCH_SET_FS, 0x7ff83247c700) = 0
mprotect(0x3a9418a000, 16384, PROT_READ) = 0
mprotect(0x3a93c1f000, 8192, PROT_READ) = 0
munmap(0x7ff83247e000, 94345)           = 0
getpid()                                = 2326
brk(0)                                  = 0x88e000
brk(0x8af000)                           = 0x8af000
open("/etc/mdadm.conf", O_RDONLY)       = -1 ENOENT (No such file or directory)
open("/etc/mdadm/mdadm.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/mdadm.conf.d", O_RDONLY)     = -1 ENOENT (No such file or directory)
uname({sys="Linux", node="ocztest", ...}) = 0
geteuid()                               = 0
open("/dev/md0", O_RDONLY)              = 3
uname({sys="Linux", node="ocztest", ...}) = 0
fstat(3, {st_mode=S_IFBLK|0660, st_rdev=makedev(9, 0), ...}) = 0
ioctl(3, RAID_VERSION, 0x7fffd8dbec00)  = 0
ioctl(3, RAID_VERSION, 0x7fffd8dbcb40)  = 0
fstat(3, {st_mode=S_IFBLK|0660, st_rdev=makedev(9, 0), ...}) = 0
readlink("/sys/dev/block/9:0", "../../devices/virtual/block/md0", 199) = 31
open("/sys/block/md0/md/metadata_version", O_RDONLY) = 4
read(4, "1.2\n", 1024)                  = 4
close(4)                                = 0
open("/sys/block/md0/md/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
fcntl(4, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
getdents(4, /* 35 entries */, 32768)    = 1200
open("/sys/block/md0/md/dev-oczpcie_23_0_ssd/slot", O_RDONLY) = 5
read(5, "1\n", 1024)                    = 2
close(5)                                = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = 5
writev(5, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"mdadm", 5}, {" terminated\n", 12}], 5*** buffer overflow detected ***: mdadm terminated
) = 51
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff832495000
open("/etc/ld.so.cache", O_RDONLY)      = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=94345, ...}) = 0
mmap(NULL, 94345, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7ff832463000
close(6)                                = 0
open("/lib64/libgcc_s.so.1", O_RDONLY)  = 6
read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20)\240\230:\0\0\0"..., 832) = 832
fstat(6, {st_mode=S_IFREG|0755, st_size=93320, ...}) = 0
mmap(0x3a98a00000, 2186584, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x3a98a00000
mprotect(0x3a98a16000, 2093056, PROT_NONE) = 0
mmap(0x3a98c15000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x15000) = 0x3a98c15000
close(6)                                = 0
munmap(0x7ff832463000, 94345)           = 0
write(5, "======= Backtrace: =========\n", 29======= Backtrace: =========
) = 29
writev(5, [{"/lib64/libc.so.6", 16}, {"(", 1}, {"__fortify_fail", 14}, {"+0x", 3}, {"37", 2}, {")", 1}, {"[0x", 3}, {"3a93f026d7", 10}, {"]\n", 2}], 9/lib64/libc.so.6(__fortify_fail+0x37)[0x3a93f026d7]
) = 52
writev(5, [{"/lib64/libc.so.6", 16}, {"[0x", 3}, {"3a93f005c0", 10}, {"]\n", 2}], 4/lib64/libc.so.6[0x3a93f005c0]
) = 31
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"44fe59", 6}, {"]\n", 2}], 4mdadm[0x44fe59]
) = 16
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"41cdfa", 6}, {"]\n", 2}], 4mdadm[0x41cdfa]
) = 16
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"405ed3", 6}, {"]\n", 2}], 4mdadm[0x405ed3]
) = 16
writev(5, [{"/lib64/libc.so.6", 16}, {"(", 1}, {"__libc_start_main", 17}, {"+0x", 3}, {"fd", 2}, {")", 1}, {"[0x", 3}, {"3a93e1ed1d", 10}, {"]\n", 2}], 9/lib64/libc.so.6(__libc_start_main+0xfd)[0x3a93e1ed1d]
) = 55
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"402ce9", 6}, {"]\n", 2}], 4mdadm[0x402ce9]
) = 16
write(5, "======= Memory map: ========\n", 29======= Memory map: ========
) = 29
open("/proc/self/maps", O_RDONLY)       = 6
read(6, "00400000-0046e000 r-xp 00000000 "..., 1024) = 1024
write(5, "00400000-0046e000 r-xp 00000000 "..., 102400400000-0046e000 r-xp 00000000 fd:00 2764808                            /sbin/mdadm
0066e000-00675000 rw-p 0006e000 fd:00 2764808                            /sbin/mdadm
00675000-00688000 rw-p 00000000 00:00 0 
0088e000-008af000 rw-p 00000000 00:00 0                                  [heap]
3a93a00000-3a93a20000 r-xp 00000000 fd:00 262152                         /lib64/ld-2.12.so
3a93c1f000-3a93c21000 r--p 0001f000 fd:00 262152                         /lib64/ld-2.12.so
3a93c21000-3a93c22000 rw-p 00021000 fd:00 262152                         /lib64/ld-2.12.so
3a93c22000-3a93c23000 rw-p 00000000 00:00 0 
3a93e00000-3a93f8a000 r-xp 00000000 fd:00 262174                         /lib64/libc-2.12.so
3a93f8a000-3a9418a000 ---p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418a000-3a9418e000 r--p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418e000-3a94190000 rw-p 0018e000 fd:00 262174                         /lib64/libc-2.12.so
3a94190000-3a94194000 rw-p 00000000 00:00 0) = 1024
read(6, " \n3a98a00000-3a98a16000 r-xp 000"..., 1024) = 672
write(5, " \n3a98a00000-3a98a16000 r-xp 000"..., 672 
3a98a00000-3a98a16000 r-xp 00000000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98a16000-3a98c15000 ---p 00016000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98c15000-3a98c16000 rw-p 00015000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
7ff83247b000-7ff83247e000 rw-p 00000000 00:00 0 
7ff832495000-7ff832497000 rw-p 00000000 00:00 0 
7fffd8daf000-7fffd8dc4000 rw-p 00000000 00:00 0                          [stack]
7fffd8dd5000-7fffd8dd6000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
) = 672
read(6, "", 1024)                       = 0
close(6)                                = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(2326, 2326, SIGABRT)             = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2326, si_uid=0} ---
+++ killed by SIGABRT (core dumped) +++
Aborted (core dumped)
[root@ocztest dev]# 

Attaching core and their mdadm installed packages list to the bz.

Comment 1 nikhil kshirsagar 2016-06-08 03:32:44 UTC

Created attachment 1165817 [details]
mdadm packages installed

Comment 2 nikhil kshirsagar 2016-06-08 03:33:51 UTC

Created attachment 1165818 [details]
sosreport

Comment 3 nikhil kshirsagar 2016-06-08 03:35:25 UTC

Created attachment 1165819 [details]
logs

Comment 8 nikhil kshirsagar 2016-06-08 05:16:44 UTC

Created attachment 1165827 [details]
2nd core

Comment 10 nikhil kshirsagar 2016-06-08 05:30:26 UTC

(gdb) frame 7
#7  0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0", c=0x7fffe35ef590) at Detail.c:106
106		sra = sysfs_read(fd, NULL, GET_VERSION|GET_DEVS);

(gdb) info locals
fd = 3
vers = 9003
array = {major_version = 0, minor_version = 0, patch_version = 0, ctime = 0, level = 0, size = 0, nr_disks = 0, raid_disks = 0, md_minor = 0, not_persistent = 0, utime = 0, state = 0, active_disks = 0, working_disks = 0, 
  failed_disks = 0, spare_disks = 0, layout = 0, chunk_size = 0}
disks = <value optimized out>
next = <value optimized out>
d = <value optimized out>
atime = <value optimized out>
str = <value optimized out>
devices = 0x0
max_devices = 0
n_devices = 0
spares = 0
stb = {st_dev = 0, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {
    tv_sec = 0, tv_nsec = 0}, __unused = {0, 0, 0}}
is_26 = 1
is_rebuilding = 0
failed = 0
st = <value optimized out>
subarray = 0x0
max_disks = 27
info = 0x0
sra = <value optimized out>
subdev = <value optimized out>
member = 0x0
container = 0x0
rv = 1
avail_disks = 0
avail = 0x0
external = <value optimized out>
inactive = <value optimized out>

(gdb) p sra
$1 = <value optimized out>

(gdb) where
#0  0x0000003a93e325e5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003a93e33dc5 in abort () at abort.c:92
#2  0x0000003a93e704f7 in __libc_message (do_abort=2, fmt=0x3a93f578cf "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x0000003a93f026d7 in __fortify_fail (msg=0x3a93f57875 "buffer overflow detected") at fortify_fail.c:32
#4  0x0000003a93f005c0 in __chk_fail () at chk_fail.c:29
#5  0x000000000044fe59 in strcpy (fd=<value optimized out>, devnm=<value optimized out>, options=<value optimized out>) at /usr/include/bits/string3.h:105
#6  sysfs_read (fd=<value optimized out>, devnm=<value optimized out>, options=<value optimized out>) at sysfs.c:272
#7  0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0", c=0x7fffe35ef590) at Detail.c:106
#8  0x0000000000405ed3 in misc_list (argc=<value optimized out>, argv=<value optimized out>) at mdadm.c:1747
#9  main (argc=<value optimized out>, argv=<value optimized out>) at mdadm.c:1425
(gdb) frame 8
#8  0x0000000000405ed3 in misc_list (argc=<value optimized out>, argv=<value optimized out>) at mdadm.c:1747
1747				rv |= Detail(dv->devname, c);

(gdb) frame 7
#7  0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0", c=0x7fffe35ef590) at Detail.c:106
106		sra = sysfs_read(fd, NULL, GET_VERSION|GET_DEVS);
(gdb) print *c
$2 = {readonly = 0, runstop = 0, verbose = 0, brief = 0, force = 0, homehost = 0x7fffe35ef800 "ocztest", require_homehost = 1, prefer = 0x0, export = 0, test = 0, subarray = 0x0, update = 0x0, scan = 0, SparcAdjust = 0, autof = 0, 
  delay = 0, freeze_reshape = 0, backup_file = 0x0, invalid_backup = 0, action = 0x0}
(gdb)

Comment 11 nikhil kshirsagar 2016-06-08 05:46:15 UTC

(gdb) frame 6
#6  sysfs_read (fd=<value optimized out>, devnm=<value optimized out>, options=<value optimized out>) at sysfs.c:272
272			strcpy(dev->sys_name, de->d_name);
(gdb) info locals
ep = 0x0
fname = "/sys/block/md0/md/dev-oczpcie_23_0_ssd/slot", '\000' <repeats 3597 times>, "x\317^\343\377\177\000\000\005\000\000\000\000\000\000\000\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000x\317^\343\377\177\000\000\002\000\000\000\000\000\000\000\006\000\000\000\000\000\000\000\020@T\001\000\000\000\000\000\371^\343\377\177\000\000\000\000\000\000\000\000\000\000O\377@", '\000' <repeats 13 times>, "\b\320^\343\377\177\000\000Linux", '\000' <repeats 60 times>, "ocztest", '\000' <repeats 58 times>, "2.6.32-642.el6.x86_64", '\000' <repeats 44 times>, "#1 S"...
buf = "1", '\000' <repeats 4094 times>
base = <value optimized out>
dbase = 0x7fffe35ec107 "slot"
sra = <value optimized out>
dev = 0x154c630
devp = 0x15445b8
dir = 0x15445f0
de = 0x1544860
(gdb) print *dev
$7 = {array = {major_version = 0, minor_version = 0, patch_version = 0, ctime = 0, level = 0, size = 0, nr_disks = 0, raid_disks = 0, md_minor = 0, not_persistent = 0, utime = 0, state = 0, active_disks = 0, working_disks = 0, 
    failed_disks = 0, spare_disks = 0, layout = 0, chunk_size = 0}, disk = {number = 0, major = 0, minor = 0, raid_disk = 0, state = 0}, events = 0, uuid = {0, 0, 0, 0}, name = '\000' <repeats 32 times>, data_offset = 0, 
  new_data_offset = 0, component_size = 0, custom_array_size = 0, reshape_active = 0, reshape_progress = 0, recovery_blocked = 0, space_before = 0, space_after = 0, {resync_start = 0, recovery_start = 0}, bitmap_offset = 0, 
  safe_mode_delay = 0, new_level = 0, delta_disks = 0, new_layout = 0, new_chunk = 0, errors = 0, cache_size = 0, mismatch_cnt = 0, text_version = '\000' <repeats 49 times>, container_member = 0, container_enough = 0, 
  sys_name = "dev-oczpcie_23_0_ssd", devs = 0x0, next = 0x0, recovery_fd = 0, state_fd = 0, prev_state = 0, curr_state = 0, next_state = 0}
(gdb) print *de
$8 = {d_ino = 14458, d_off = 14471, d_reclen = 40, d_type = 4 '\004', 
  d_name = "dev-oczpcie_23_0_ssd\000\207\070\000\000\000\000\000\000\264\070\000\000\000\000\000\000(\000\004dev-oczpcie_11_0_ssd\000\264\070\000\000\000\000\000\000\265\070\000\000\000\000\000\000 \000\bsync_action\000\b\265\070\000\000\000\000\000\000\266\070\000\000\000\000\000\000(\000\blast_sync_action\000\000\000\000\b\266\070\000\000\000\000\000\000\267\070\000\000\000\000\000\000 \000\bmismatch_cnt\000\267\070\000\000\000\000\000\000\270\070\000\000\000\000\000\000(\000\bsync_speed_min\000\000\000\000\000\000\b\270\070\000\000\000\000\000\000\271"...}
(gdb) 

The line that causes the fault is "sysfs.c" line 272

                strcpy(dev->sys_name, de->d_name);

de->d_name doesnt appear to be null terminated ?


(gdb) ptype dev
type = struct mdinfo {
    mdu_array_info_t array;
    mdu_disk_info_t disk;
    __u64 events;
    int uuid[4];
    char name[33];
    long long unsigned int data_offset;
    long long unsigned int new_data_offset;
    long long unsigned int component_size;
    long long unsigned int custom_array_size;
    int reshape_active;
    long long unsigned int reshape_progress;
    int recovery_blocked;
    long long unsigned int space_before;
    long long unsigned int space_after;
    union {
        long long unsigned int resync_start;
        long long unsigned int recovery_start;
    };
    long int bitmap_offset;
    long unsigned int safe_mode_delay;
    int new_level;
    int delta_disks;
    int new_layout;
    int new_chunk;
    int errors;
    long unsigned int cache_size;
    int mismatch_cnt;
    char text_version[50];
    int container_member;
    int container_enough;
    char sys_name[20];             <--- just 20 chars.
    struct mdinfo *devs;
    struct mdinfo *next;
    int recovery_fd;
    int state_fd;
    int prev_state;
    int curr_state;
    int next_state;
} *
(gdb)

Comment 22 guazhang@redhat.com 2016-10-25 07:28:52 UTC

The size of array has been changed to 32 byts in mdadm.h on mdadm-3.3.4-4.el6
From https://bugzilla.redhat.com/show_bug.cgi?id=1347808#c14, customer has verified this fix.

thanks 
Guazhang

Comment 24 errata-xmlrpc 2017-03-21 08:58:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0569.html