Bug 176154

Summary: Possible memory corruption: ioctl overflowed 3rd argument
Product: [Fedora] Fedora Reporter: Gregory Ruiz-Ade <gkra>
Component: perlAssignee: Jason Vas Dias <jvdias>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: armin, perl-devel
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://www.livejournal.com/users/gkra/23220.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-19 19:24:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gregory Ruiz-Ade 2005-12-19 18:43:25 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050921 Red Hat/1.0.7-1.4.1 Firefox/1.0.7

Description of problem:
When using the CDDB_get perl module to extract the CD ID from the compact disc in a CD or DVD drive (IDE, SCSI or FireWire), I get the error "Possible memory corruption: ioctl overflowed 3rd argument at /usr/lib/perl5/site_perl/5.8.5/CDDB_get.pm line 135".  This is in a perl script I wrote to rip & tag MP3s from my CD collection.  I installed the CDDB_get module from CPAN via the cpan2rpm package, which was itself installed via yum from the default Fedora Core 4 repositories.  This operation worked without error on the non-updated FC4 (fresh install).  I realized I hadn't done an update in quite some time, and after using "up2date --update" and restarting the system to boot into the new kernel, this error presented itself.


Version-Release number of selected component (if applicable):
perl-5.8.6-22

How reproducible:
Always

Steps to Reproduce:
1. Install FC4 and all latest updates
2. Install cpan2rpm via up2date or yum
3. Install CDDB_get using cpan2rpm
4. Boot system into init level 3 (to keep X & desktop environs from interfering)
5. Insert an audio CD into the CD drive.
6. Download my cddbtest.pl script (http://www.unnerving.org/projects/bugreports/fc4_perl_ioctl/cddbtest.pl)
  

Actual Results:  script gives this error message:

Possible memory corruption: ioctl overflowed 3rd argument at /usr/lib/perl5/site_perl/5.8.5/CDDB_get.pm line 135.


Expected Results:  Successful read of the CD, followed by output of CDDB info for the inserted audio CD.

Additional info:

Test script, script output and strace: http://www.unnerving.org/projects/bugreports/fc4_perl_ioctl/

Some additional information was provided in one of the comments to my journal entry regarding this issue: http://www.livejournal.com/users/gkra/23220.html

Comment 1 Jason Vas Dias 2005-12-19 19:24:50 UTC
This is probably due to the fix for bugzilla bug 171111, rt.perl.org bug 
#37535, upstream patch #25852 . 

Perl was incorrectly defaulting the ioctl 'length' parameter to 256, and 
making the length of the ioctl third argument at least that number of bytes
long (this caused perl to dump core if the data returned was > 256 bytes).

CDDB_get.pm sets its ioctl third arg to "", and passes NO length argument in
the IOCTL number. 

In perl versions before bug  171111 was fixed, this third argument would have
been defaulted to 256 bytes long - this would be OK as long as the string
returned is less than 256 bytes - otherwise, a perl core would result.

perl has no way of knowing how long the data returned by ioctl will be - it
only knows the length of the ioctl third argument variable, and the length
encoded in the ioctl number.

So, after it makes the ioctl, it checks that a marker placed at the end of
the ioctl third argument variable has not been overwritten - now, in the 
case of CDDB_get, it has been, since the variable has no longer been initialized
to 256 bytes in length .

FIX: initialize the variable in CDDB_get.pm to a reasonable length :
---
--- CDDB_get-2.25/CDDB_get.pm~  2005-06-15 10:55:23.000000000 -0400
+++ CDDB_get-2.25/CDDB_get.pm   2005-12-19 14:22:49.000000000 -0500
@@ -129,7 +129,7 @@

 sub read_toc {
   my $device=shift;
-  my $tochdr="";
+  my $tochdr=chr(0) x 8192;

   sysopen (CD,$device, O_RDONLY | O_NONBLOCK) or die "cannot open cdrom [$!]
[$device]";
   ioctl(CD, $CDROMREADTOCHDR, $tochdr) or die "cannot read toc [$!] [$device]";
---

CDDB_get is not provided in Fedora Core or Fedora Extras - I suggest you raise
this issue with the CDDB_get developer .

Comment 2 Gregory Ruiz-Ade 2005-12-19 19:48:16 UTC
Ah!  Okay, that makes perfect sense, then, as to why it stopped working for the
perl module.

I will forward this information to the CDDB_get maintainer.  Thank you for your
reply.

Gregory

Comment 3 Armin Obersteiner 2005-12-19 20:47:29 UTC
this the maintainer ;-)

could you try this patch instead:

--- projects/CDDB_get/CDDB_get.pm       Thu Oct  6 08:00:46 2005
+++ CDDB_get.pm Fri Dec 16 08:32:30 2005
@@ -129,7 +129,7 @@

 sub read_toc {
   my $device=shift;
-  my $tochdr="";
+  my $tochdr="          ";

   sysopen (CD,$device, O_RDONLY | O_NONBLOCK) or die "cannot open cdrom [$!]
[$device]";
   ioctl(CD, $CDROMREADTOCHDR, $tochdr) or die "cannot read toc [$!] [$device]";
@@ -184,6 +184,7 @@
     my ($min,$sec,$frame);
     unless($os =~ /BSD/) {
       $tocentry=pack "CCC", $i,0,$CDROM_MSF;
+      $tocentry.="     ";
       ioctl(CD, $CDROMREADTOCENTRY, $tocentry) or die "cannot read track $i
info [$!] [$device]";
       ($min,$sec,$frame)=unpack "CCCC", substr($tocentry,4,4);
     } else {

Comment 4 Jason Vas Dias 2005-12-19 21:20:51 UTC
Hi armin -

You need to be certain that the $tochdr / $tocentry variables 
are of sufficient length to hold the maximum length of data that
ioctl could return for these ioctls - are you sure this is only 10 bytes ?
( I don't have a music CD with me here to test ...) 
I think it might be clearer to specify the maximum length explicitly:
   ...$tochdir = ' 'x10;
   ...$tocentry.=' 'x10;

Regards,
Jason.

Comment 5 Gregory Ruiz-Ade 2005-12-20 02:19:27 UTC
Well, Armin's last patch didn't work for me, but this did:

-----[ cut here ]-----
--- CDDB_get-2.25/CDDB_get.pm~  2005-06-15 10:55:23.000000000 -0400
+++ CDDB_get-2.25/CDDB_get.pm   2005-12-19 14:22:49.000000000 -0500
@@ -129,7 +129,7 @@

 sub read_toc {
   my $device=shift;
-  my $tochdr="";
+  my $tochdr=chr(0) x 16;

   sysopen (CD,$device, O_RDONLY | O_NONBLOCK) or die "cannot open cdrom [$!] [$device]";
   ioctl(CD, $CDROMREADTOCHDR, $tochdr) or die "cannot read toc [$!] [$device]";@@ -184,6 +184,7 
@@
     my ($min,$sec,$frame);
     unless($os =~ /BSD/) {
       $tocentry=pack "CCC", $i,0,$CDROM_MSF;
+      $tocentry.=chr(0) x 16;
       ioctl(CD, $CDROMREADTOCENTRY, $tocentry) or die "cannot read track $i info [$!] [$device]";
       ($min,$sec,$frame)=unpack "CCCC", substr($tocentry,4,4);
     } else {
-----[ cut here ]-----

Comment 6 Armin Obersteiner 2006-01-09 09:50:11 UTC
this patch was released as 2.27 on 1st of jannuary