Bug 176154
Summary: | Possible memory corruption: ioctl overflowed 3rd argument | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gregory Ruiz-Ade <gkra> |
Component: | perl | Assignee: | Jason Vas Dias <jvdias> |
Status: | CLOSED NOTABUG | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | armin, perl-devel |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
URL: | http://www.livejournal.com/users/gkra/23220.html | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-12-19 19:24:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gregory Ruiz-Ade
2005-12-19 18:43:25 UTC
This is probably due to the fix for bugzilla bug 171111, rt.perl.org bug #37535, upstream patch #25852 . Perl was incorrectly defaulting the ioctl 'length' parameter to 256, and making the length of the ioctl third argument at least that number of bytes long (this caused perl to dump core if the data returned was > 256 bytes). CDDB_get.pm sets its ioctl third arg to "", and passes NO length argument in the IOCTL number. In perl versions before bug 171111 was fixed, this third argument would have been defaulted to 256 bytes long - this would be OK as long as the string returned is less than 256 bytes - otherwise, a perl core would result. perl has no way of knowing how long the data returned by ioctl will be - it only knows the length of the ioctl third argument variable, and the length encoded in the ioctl number. So, after it makes the ioctl, it checks that a marker placed at the end of the ioctl third argument variable has not been overwritten - now, in the case of CDDB_get, it has been, since the variable has no longer been initialized to 256 bytes in length . FIX: initialize the variable in CDDB_get.pm to a reasonable length : --- --- CDDB_get-2.25/CDDB_get.pm~ 2005-06-15 10:55:23.000000000 -0400 +++ CDDB_get-2.25/CDDB_get.pm 2005-12-19 14:22:49.000000000 -0500 @@ -129,7 +129,7 @@ sub read_toc { my $device=shift; - my $tochdr=""; + my $tochdr=chr(0) x 8192; sysopen (CD,$device, O_RDONLY | O_NONBLOCK) or die "cannot open cdrom [$!] [$device]"; ioctl(CD, $CDROMREADTOCHDR, $tochdr) or die "cannot read toc [$!] [$device]"; --- CDDB_get is not provided in Fedora Core or Fedora Extras - I suggest you raise this issue with the CDDB_get developer . Ah! Okay, that makes perfect sense, then, as to why it stopped working for the perl module. I will forward this information to the CDDB_get maintainer. Thank you for your reply. Gregory this the maintainer ;-) could you try this patch instead: --- projects/CDDB_get/CDDB_get.pm Thu Oct 6 08:00:46 2005 +++ CDDB_get.pm Fri Dec 16 08:32:30 2005 @@ -129,7 +129,7 @@ sub read_toc { my $device=shift; - my $tochdr=""; + my $tochdr=" "; sysopen (CD,$device, O_RDONLY | O_NONBLOCK) or die "cannot open cdrom [$!] [$device]"; ioctl(CD, $CDROMREADTOCHDR, $tochdr) or die "cannot read toc [$!] [$device]"; @@ -184,6 +184,7 @@ my ($min,$sec,$frame); unless($os =~ /BSD/) { $tocentry=pack "CCC", $i,0,$CDROM_MSF; + $tocentry.=" "; ioctl(CD, $CDROMREADTOCENTRY, $tocentry) or die "cannot read track $i info [$!] [$device]"; ($min,$sec,$frame)=unpack "CCCC", substr($tocentry,4,4); } else { Hi armin - You need to be certain that the $tochdr / $tocentry variables are of sufficient length to hold the maximum length of data that ioctl could return for these ioctls - are you sure this is only 10 bytes ? ( I don't have a music CD with me here to test ...) I think it might be clearer to specify the maximum length explicitly: ...$tochdir = ' 'x10; ...$tocentry.=' 'x10; Regards, Jason. Well, Armin's last patch didn't work for me, but this did: -----[ cut here ]----- --- CDDB_get-2.25/CDDB_get.pm~ 2005-06-15 10:55:23.000000000 -0400 +++ CDDB_get-2.25/CDDB_get.pm 2005-12-19 14:22:49.000000000 -0500 @@ -129,7 +129,7 @@ sub read_toc { my $device=shift; - my $tochdr=""; + my $tochdr=chr(0) x 16; sysopen (CD,$device, O_RDONLY | O_NONBLOCK) or die "cannot open cdrom [$!] [$device]"; ioctl(CD, $CDROMREADTOCHDR, $tochdr) or die "cannot read toc [$!] [$device]";@@ -184,6 +184,7 @@ my ($min,$sec,$frame); unless($os =~ /BSD/) { $tocentry=pack "CCC", $i,0,$CDROM_MSF; + $tocentry.=chr(0) x 16; ioctl(CD, $CDROMREADTOCENTRY, $tocentry) or die "cannot read track $i info [$!] [$device]"; ($min,$sec,$frame)=unpack "CCCC", substr($tocentry,4,4); } else { -----[ cut here ]----- this patch was released as 2.27 on 1st of jannuary |