Bug 2208579
| Summary: | rpm-git-tag-sort-1.0-12.fc39 FTBFS: ./test: buffer overflow detected | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Pisar <ppisar> |
| Component: | rpm-git-tag-sort | Assignee: | Copr Team <copr-team> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | praiskup |
| Target Milestone: | --- | Keywords: | Patch |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-01 08:43:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2168842 | ||
|
Description
Petr Pisar
2023-05-19 15:48:08 UTC
It's the second invocation of ./main in ./test which crashes: $ gdb --args ./main testx tag [...] (gdb) bt #0 0x00007ffff7a8f6d4 in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007ffff7a3e71e in raise () from /lib64/libc.so.6 #2 0x00007ffff7a2687f in abort () from /lib64/libc.so.6 #3 0x00007ffff7a27750 in __libc_message.cold () from /lib64/libc.so.6 #4 0x00007ffff7b22a99 in __fortify_fail () from /lib64/libc.so.6 #5 0x00007ffff7b22454 in __chk_fail () from /lib64/libc.so.6 #6 0x00007ffff7b23e55 in __strcpy_chk () from /lib64/libc.so.6 #7 0x0000000000401dcd in strcpy (__src=0x538fe0 "tag-10-1", __dest=0x7fffffffde50 "") at /usr/include/bits/string_fortified.h:79 #8 rpm_is_lower_than (tag2_name=0x538fe0 "tag-10-1", tag1_name=0x52d700 "tag-9-1") at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:134 #9 add_to_result (e_idx=<optimized out>, e=<optimized out>, tag_idx=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:219 #10 visit (c=<optimized out>, visited_ptr=visited_ptr@entry=0x7fffffffe230, name=<optimized out>, repo=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:304 #11 0x0000000000402191 in visit (c=0x535da0, visited_ptr=visited_ptr@entry=0x7fffffffe230, name=<optimized out>, repo=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:271 #12 0x0000000000402191 in visit (c=0x532bd0, visited_ptr=visited_ptr@entry=0x7fffffffe230, name=<optimized out>, repo=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:271 #13 0x0000000000401560 in main (argc=<optimized out>, argv=<optimized out>) at /home/test/fedora/rpm-git-tag-sort/rpm-git-tag-sort/main.c:432 The problem is that here:
/* copy tag names */
char tag1_name_cpy[strlen(tag1_name) + 1];
char tag2_name_cpy[strlen(tag1_name) + 1];
strcpy(tag1_name_cpy, tag1_name);
-> strcpy(tag2_name_cpy, tag2_name);
tag2_name_cpy is too short to hold tag2_name:
(gdb) p tag1_name
$1 = 0x52d700 "tag-9-1"
(gdb) p tag2_name
$2 = 0x538fe0 "tag-10-1"
It looks like a typo in tag2_name_cpy[] definition.
I proposed a fix at <https://pagure.io/rpm-git-tag-sort/pull-request/3>. The fix was merged by the upstream. RPM maintainers needs to rebuild this package against a new rpm-4.19. This bug prevents from doing so. Could you please apply the fix? If you don't have time, I can do it instead of you. This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component. Thank you for the report and hints. I've built the fixed packages in Rawhide: rpmgit-tag-sort: https://koji.fedoraproject.org/koji/buildinfo?buildID=2267612 rpkg-macros: https://koji.fedoraproject.org/koji/buildinfo?buildID=2253802 rpkg-util: https://koji.fedoraproject.org/koji/buildinfo?buildID=2253810 |