Bug 397531

Summary: Freeciv FORTIFY failure during autosave
Product: [Fedora] Fedora Reporter: Jerry James <loganjerry>
Component: freecivAssignee: Brian Pepple <bdpepple>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://rt.freeciv.org/SelfService/Display.html?id=39898
Whiteboard:
Fixed In Version: 2.1.1-1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-07 21:33:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jerry James 2007-11-24 00:49:41 UTC 
Description of problem:
If you play freeciv long enough, an autosave will eventually fail a FORTIFY
check and cause the server to die with the autosave file only partially written.
 Glibc says:

*** buffer overflow detected ***: civserver terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x4b7b58]
/lib/libc.so.6[0x4b6200]
civserver[0x8091ab1]
civserver[0x8093cc7]
civserver[0x80510b2]
civserver[0x8051341]
civserver[0x805200b]
civserver[0x805317e]
civserver[0x804a8ad]
/lib/libc.so.6(__libc_start_main+0xe0)[0x3e4390]
civserver(rl_filename_completion_function+0x339)[0x804a281]
======= Memory map: ========
00101000-0010c000 r-xp 00000000 fd:00 9864778    /lib/libgcc_s-4.1.2-20070925.so.1
0010c000-0010d000 rwxp 0000a000 fd:00 9864778    /lib/libgcc_s-4.1.2-20070925.so.1
00110000-00111000 r-xp 00110000 00:00 0          [vdso]
00111000-0015e000 r-xp 00000000 fd:00 34153655   /usr/lib/libbind.so.4.0.9
0015e000-00160000 rwxp 0004d000 fd:00 34153655   /usr/lib/libbind.so.4.0.9
0026c000-0029c000 r-xp 00000000 fd:00 32245853   /usr/lib/libreadline.so.5.2
0029c000-002a0000 rwxp 00030000 fd:00 32245853   /usr/lib/libreadline.so.5.2
002a0000-002a1000 rwxp 002a0000 00:00 0 
002ed000-00302000 r-xp 00000000 fd:00 9863239    /lib/libtinfo.so.5.6
00302000-00305000 rwxp 00014000 fd:00 9863239    /lib/libtinfo.so.5.6
003af000-003ca000 r-xp 00000000 fd:00 9864753    /lib/ld-2.7.so
003ca000-003cb000 r-xp 0001a000 fd:00 9864753    /lib/ld-2.7.so
003cb000-003cc000 rwxp 0001b000 fd:00 9864753    /lib/ld-2.7.so
003ce000-00521000 r-xp 00000000 fd:00 9864754    /lib/libc-2.7.so
00521000-00523000 r-xp 00153000 fd:00 9864754    /lib/libc-2.7.so
00523000-00524000 rwxp 00155000 fd:00 9864754    /lib/libc-2.7.so
00524000-00527000 rwxp 00524000 00:00 0 
00529000-00550000 r-xp 00000000 fd:00 9864758    /lib/libm-2.7.so
00550000-00551000 r-xp 00026000 fd:00 9864758    /lib/libm-2.7.so
00551000-00552000 rwxp 00027000 fd:00 9864758    /lib/libm-2.7.so
0055b000-00570000 r-xp 00000000 fd:00 9864756    /lib/libpthread-2.7.so
00570000-00571000 r-xp 00014000 fd:00 9864756    /lib/libpthread-2.7.so
00571000-00572000 rwxp 00015000 fd:00 9864756    /lib/libpthread-2.7.so
00572000-00574000 rwxp 00572000 00:00 0 
00576000-00588000 r-xp 00000000 fd:00 9864757    /lib/libz.so.1.2.3
00588000-00589000 rwxp 00011000 fd:00 9864757    /lib/libz.so.1.2.3
00b2c000-00b41000 r-xp 00000000 fd:00 9864767    /lib/libnsl-2.7.so
00b41000-00b42000 r-xp 00014000 fd:00 9864767    /lib/libnsl-2.7.so
00b42000-00b43000 rwxp 00015000 fd:00 9864767    /lib/libnsl-2.7.so
00b43000-00b45000 rwxp 00b43000 00:00 0 
08047000-0819a000 r-xp 00000000 fd:00 34167870   /usr/bin/civserver
0819a000-0819d000 rw-p 00153000 fd:00 34167870   /usr/bin/civserver
0819d000-082f3000 rw-p 0819d000 00:00 0 
09f79000-0aa27000 rw-p 09f79000 00:00 0 
b7c31000-b7ce2000 rw-p b7c31000 00:00 0 
b7d43000-b7f43000 r--p 00000000 fd:00 34147534   /usr/lib/locale/locale-archive
b7f43000-b7f46000 rw-p b7f43000 00:00 0 
b7f51000-b7f74000 rw-p b7f51000 00:00 0 
b7f74000-b7f7b000 r--s 00000000 fd:00 34277598   /usr/lib/gconv/gconv-modules.cache
bfb76000-bfbc4000 rw-p bffb1000 00:00 0          [stack]
2: lost connection to server

With gdb, I was able to determine that the dying address corresponds to the
memcpy on line 3366 of server/savegame.c.

Version-Release number of selected component (if applicable):
freeciv-2.1.0-1.fc8

How reproducible:
Always, if I play long enough.  It can take a couple of hours of playing to
trigger the bug.

Steps to Reproduce:
1. Play freeciv for a couple of hours
  
Actual results:
An autosave triggers a FORTIFY failure, causing the server to shut down.

Expected results:
The autosave should succeed.

Additional info:
Comment 1 Jerry James 2007-11-24 03:52:38 UTC 
I see the problem.  The part array, declared at line 3342, has size PART_SIZE +
1.  The variable bytes_adjust, declared at line 3339, is set to bytes_at_colon %
3; i.e., its value is 0, 1, or 2.  The variable size_of_current_part, declared
at line 3363, is PART_SIZE + bytes_adjust; i.e., it is at most PART_SIZE + 2. 
But then the offending memcpy copies size_of_current_part bytes into part,
possibly overflowing it by one byte.  The fix is to declare part as having size
PART_SIZE + 2.
Comment 2 Jerry James 2007-11-24 04:11:00 UTC 
I have now filed this bug upstream (#39898), and supplied them with a patch. 
See the bug URL.
Comment 3 Fedora Update System 2007-11-26 18:44:00 UTC 
freeciv-2.1.0-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freeciv'
Comment 4 Fedora Update System 2007-12-03 11:49:15 UTC 
freeciv-2.1.1-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freeciv'
Comment 5 Fedora Update System 2007-12-07 21:33:57 UTC 
freeciv-2.1.1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.