Bug 173050

Summary: strace buffer overflow on select
Product: [Fedora] Fedora Reporter: Dan Hollis <goemon>
Component: straceAssignee: Roland McGrath <roland>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: djuran, ldv
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 4.5.15-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-17 03:07:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Hollis 2005-11-13 04:16:04 UTC 
Description of problem:
strace crashes when tracing select()

Version-Release number of selected component (if applicable):
strace 4.5.11-1

How reproducible:
always

Steps to Reproduce:
1.strace -p (pid of 32bit application)
2.
3.
  
Actual results:
strace -p 15313
Process 15313 attached - interrupt to quit
[ Process PID=15313 runs in 32 bit mode. ]
select(22, [0 21], NULL, NULL, {115964116992000, 2097153}*** buffer overflow
detected ***: strace terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x3d856dcb6f]
/lib64/libc.so.6[0x3d856dc149]
/lib64/libc.so.6(_IO_default_xsputn+0x86)[0x3d85667b26]
/lib64/libc.so.6(_IO_vfprintf+0xf47)[0x3d85641be7]
/lib64/libc.so.6(__vsprintf_chk+0xa9)[0x3d856dc1f9]
/lib64/libc.so.6(__sprintf_chk+0x80)[0x3d856dc130]
strace[0x408012]
strace[0x405378]
strace[0x4041d0]
/lib64/libc.so.6(__libc_start_main+0xef)[0x3d8561c3cf]
strace[0x401eea]
======= Memory map: ========
00400000-0043e000 r-xp 00000000 09:00 114183                            
/usr/bin/strace
0053e000-0053f000 rw-p 0003e000 09:00 114183                            
/usr/bin/strace
0053f000-00547000 rw-p 0053f000 00:00 0 
0063e000-0063f000 rw-p 0003e000 09:00 114183                            
/usr/bin/strace
0063f000-00660000 rw-p 0063f000 00:00 0                                  [heap]
3d85400000-3d8541a000 r-xp 00000000 09:00 110204                        
/lib64/ld-2.3.5.so
3d85519000-3d8551a000 r--p 00019000 09:00 110204                        
/lib64/ld-2.3.5.so
3d8551a000-3d8551b000 rw-p 0001a000 09:00 110204                        
/lib64/ld-2.3.5.so
3d85600000-3d8572d000 r-xp 00000000 09:00 489661                        
/lib64/libc-2.3.5.so
3d8572d000-3d8582c000 ---p 0012d000 09:00 489661                        
/lib64/libc-2.3.5.so
3d8582c000-3d85830000 r--p 0012c000 09:00 489661                        
/lib64/libc-2.3.5.so
3d85830000-3d85832000 rw-p 00130000 09:00 489661                        
/lib64/libc-2.3.5.so
3d85832000-3d85836000 rw-p 3d85832000 00:00 0 
3d87b00000-3d87b0d000 r-xp 00000000 09:00 114442                        
/lib64/libgcc_s-4.0.1-20050727.so.1
3d87b0d000-3d87c0c000 ---p 0000d000 09:00 114442                        
/lib64/libgcc_s-4.0.1-20050727.so.1
3d87c0c000-3d87c0d000 rw-p 0000c000 09:00 114442                        
/lib64/libgcc_s-4.0.1-20050727.so.1
2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaadb000-2aaaaaadd000 rw-p 2aaaaaadb000 00:00 0 
7fffffb46000-7fffffb5c000 rw-p 7fffffb46000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
Aborted

Expected results:
should not crash

Additional info:
Comment 1 Dmitry V. Levin 2005-11-14 22:42:36 UTC 
Tracing of 32-bit processes on 64-bit system is not implemented wrt decoding of
data structures with arch-dependent members.
For example, all syscalls which operate with "struct timeval" will be decoded
incorrectly; select() is just an illustration for the larger problem.

Roland, are we going to deal with this (large) issue somehow?
Comment 2 Dan Hollis 2005-11-14 23:06:38 UTC 
should a 32bit strace be able to trace 32bit processes on a 64bit system under
32bit emulation mode?

if so, the "obvious" solution would be to provide both 32bit and 64bit strace
binaries, and have 64bit strace refuse to trace 32bit processes (and vice versa).
Comment 3 Dmitry V. Levin 2005-11-14 23:21:50 UTC 
Yes, 32bit strace is able to trace 32bit processes on a 64bit system under 32bit
emulation mode.

This "obvious" solution will "fix" the bug you reported.

Unfortunately, there are rare cases when this solution won't help:
processes like setarch(8) which call personality(2).

Imagine e.g. "strace setarch i386 select32" where select32 is arbitrary 32bit
executable which calls select(2).
Comment 4 Dan Hollis 2005-11-14 23:39:52 UTC 
well its completely broken right now :P

seems to me there should be an interim solution provided (however flawed it
might be). provide 32bit strace on FC4/5 until a "proper" fix can be made?
Comment 5 Dmitry V. Levin 2006-12-13 21:37:05 UTC 
Added upstream biarch support for timeval and timespec structs,
should fix select decoding.
Comment 6 Roland McGrath 2007-01-11 11:15:26 UTC 
these bugs are fixed upstream in the coming 4.5.15 release
Comment 7 Roland McGrath 2007-01-17 03:07:34 UTC 
4.5.15 in rawhide and in updates for fc5 and fc6 fixes this.