Bug 153685

Summary: initlog may read past end of buffer
Product: [Fedora] Fedora Reporter: Seth Robertson <in-redhat>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-05 18:17:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 143575, 145411    
Attachments:
Description Flags
Patch to resolve problem none

Description Seth Robertson 2005-04-04 23:28:31 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050328 Firefox/1.0.2

Description of problem:
You allocate 8k, read 8k, and then in getline read bytes without
bounding the size of data.  If you actually did read 8k, then you can
read over the end of the array.


Version-Release number of selected component (if applicable):
initscripts-7.93.5-1 and CVS HEAD

How reproducible:
Always

Steps to Reproduce:
1. valgrind --tool=memcheck ./initlog -q -c "yes a very very very very very long even large string which will be printed very often"

2.
3.
  

Actual Results:  ==30387== Invalid read of size 1
==30387==    at 0x1B904747: memcpy (mac_replace_strmem.c:300)
==30387==    by 0x804971E: getLine (initlog.c:139)
==30387==    by 0x804ADB9: monitor (process.c:211)
==30387==    by 0x804B2F7: runCommand (process.c:315)
==30387==  Address 0x1BC7C6A8 is 0 bytes after a block of size 8192 alloc'd
==30387==    at 0x1B90540D: calloc (vg_replace_malloc.c:176)
==30387==    by 0x804AC52: monitor (process.c:191)
==30387==    by 0x804B2F7: runCommand (process.c:315)
==30387==    by 0x804A5B4: processArgs (initlog.c:426)


Additional info:

Patch in a few moments (stupid bugzilla)

Comment 1 Seth Robertson 2005-04-04 23:29:24 UTC
Created attachment 112693 [details]
Patch to resolve problem

Comment 2 Bill Nottingham 2005-04-05 18:17:40 UTC
You shouldn't look at that code, it's bad for you. :)

Added in CVS, thanks.