Bug 159418
Summary: | sfdisk unusable - crashes immediately on invocation | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Avi Kivity <avi> | ||||
Component: | util-linux | Assignee: | Karel Zak <kzak> | ||||
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4.0 | CC: | chris.ricker, hno, oliva, steven | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHBA-2005-669 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-10-05 16:53:49 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 156320, 156322 | ||||||
Attachments: |
|
Description
Avi Kivity
2005-06-02 15:17:46 UTC
can you install the debuginfo of the package to get a more useful backtrace? it's a bit sparse due to optimization. the __chk_fail() is inside and inlined fgets(), which might have been called from read_stdin(): /* read a line from stdin */ lp = fgets(line+2, linesize, stdin); shouldn't that be linesize-2? #0 0x00aef402 in __kernel_vsyscall () #1 0x007a31fc in raise () from /lib/libc.so.6 #2 0x007a4958 in abort () from /lib/libc.so.6 #3 0x007d82ea in __libc_message () from /lib/libc.so.6 #4 0x00859415 in __chk_fail () from /lib/libc.so.6 #5 0x0804c563 in read_partition (dev=0xbfa53c24 "/tmp/empty", interactive=1, pno=0, ep=0x0, z=0x80587c0) at /usr/include/bits/stdio2.h:106 #6 0x0804d805 in do_fdisk (dev=0xbfa53c24 "/tmp/empty") at sfdisk.c:2287 #7 0x0804eaba in main (argc=2, argv=0xbfa51e24) at sfdisk.c:2685 #8 0x0078fde6 in __libc_start_main () from /lib/libc.so.6 #9 0x08048dc1 in _start () changed summary and severity, this is unrelated to the mbr. sfdisk /dev/sda crashes just as well. I can reproduce it in FC4. But if I rebuild same .src.rpm in FC3 it doens't crash. FC4: crashes (glibc-2.3.5-9) FC3: works file (glibc-2.3.5-0.fc3.1, gcc-3.4.3-22.fc3) Note: sfdisk binary compiled by gcc-3.4 works file on FC4. it's the new gcc/glibc guard thing which traps overflows. AFAICT this is a real buffer overflow. I see it now. It's really ugly code. I have to read your report more carefully next time. Thanks for report! *** Bug 160284 has been marked as a duplicate of this bug. *** is this being worked on? I can (try to) produce a patch if necessary. The patch is pretty simple and it will be available in the next util-linux update as soon as possible (this week). Fixed in FC4 (util-linux-2.12p-9.5) and FC3 (util-linux-2.12a-24.3) updates. verified. Created attachment 116622 [details]
bug fix patch
Is RHEL 3 using the gcc based buffer overflow protections (mudflap) enabled by default on FC4 packages? It is not enabled on FC3 packages I think. The error will go unnoticed if this option is not enabled in the compiler flags when the binary was build as without the overflow protection instrumentation the potential misuse of the input buffer is not noticed. The actual error as such is mostly harmless as sfdisk is rarely given untrusted data as input. It is also possible (but not very likely) the error only shows up in later versions of sfdisk. The original report was on util-linux-2.12p-9.3 while you tested util-linux-2.11y-31.6. Oops, wrong reference. It's the glibc FORTIFY_SOURCE protection triggering here, not mudflap. (-D_FORTIFY_SOURCE=2 compiler option). Yes, the original buffer overflow was detected in FC4 by new glibc. But the code with bug in sfdisk is __same__ in FC4 and RHEL3|4. So the fix of this code in RHEL is really good prevension. It's really clear and pretty visible. See the patch: - lp = fgets(line+2, linesize, stdin); + lp = fgets(line+2, linesize-2, stdin); See also "QE ack" comment #16. I can show you this buffer overflow by gdb, but it's extra work if we already know that the bug is there. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-626.html An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-669.html |