Bug 556664
| Summary: | buffer overflow in star | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Unused account - please delete <ziobooqulna> | ||||||||
| Component: | star | Assignee: | Ondrej Vasik <ovasik> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 12 | CC: | ovasik, robatino, ziobooqulna | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | 1.5-9.fc12 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | |||||||||||
| : | 561503 (view as bug list) | Environment: | |||||||||
| Last Closed: | 2010-02-09 05:11:32 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 561503 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Unused account - please delete
2010-01-19 01:09:11 UTC
Thanks for report, fortify fails buffer overflows in F-11/F-12 are usually caused by new fortify_sources checks in glibc/gcc - previously valid source code now crashes. I'll try to check that one. Btw. in F-12 there is nice tool ABRT for reporting such issues/crash bug reports - it tries to download required debuginfo packages which makes the backtrace much more useful. Sorry for missing that (this is a stripped-down server installation (specifically: without a running dbus - which AFAIK is required by abrtd). However in the meantime, i installed the relevant debuginfo and ran a gdm session manually. Attached is a gzipped screenlog of that gdb session. This reveals the bug: Apparently there are some remnants in the code from the old tar days where the path limit was still 100 chars. As soon as a file with a path length > 100 chars (in this specific case: 101 chars) is to be archived, the bug hits. Created attachment 385387 [details]
screenlog of a gdb session
Oops, typo in my previous message: s/gdm/gdb/ .. And another mistake by me: the path in question is *exactly* 100 chars, *not* 101.... Ok, I could reproduce it. You are right - star (in longnames.c) is trying to copy shortname (100 chars of path) to the buffer - which is only 100 bytes - so the null terminator seems to cause buffer overflow in the case of files with the length 100+. Just fixing this off-by-one issue seems to solve the problem, but I would like to check it a bit more to see if my patch is really good way to solve the problem. Created attachment 385409 [details]
Patch to fix buffer overflow for files with length = 100
This is the patch which is fixing the buffer overflow issue for me. But I have to check if it is correct way to solve the issue.
I'm rebuilding the RPM here with this patch right now. I'll let you know how it works out on my machine later ... Ok, looks good. Complete backup of 200G finished without any prob. Thanks for the fast response and fix. -Fritz Thanks for confirmation of the fix - I'll check it for some corner cases to ensure myself that it is not breaking some functionality / bringing some regression and then I'll make star update. What is the status of this? I seem to be hitting it repeatedly - I checked one of the files it hit just before crashing and it's exactly 100 characters. Patch fixing issue for startype headers is attached to that bugzilla ... but that's possibly not the right way to fix the issue. Problem is that for pax, ustar, suntar, xstar, xustar, exustar, star have the limit for shortname the same as the buffer size - which causes buffer overflow with new glibc fortify_sources checks. Formats gnutar, tar a v7tar header types should be safe without my patch - as they have 99+XXX format. However - they are affected by my patch - as I fix off-by-one problem even for them - which causes longname complains for 99 chars long name which is completely valid. The names should be split 100(+155 usually) in star-type formats. Buffer for shortname is 100 bytes - therefore with length 100 you have no \0 terminator there - and strcpy just causes buffer overflow error. Probably using strncpy should be better way of solving that issue, but I have to check if it works correctly for all the formats (current patch does not and changes to headers would mean breaking specifications)... star-1.5-9.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/star-1.5-9.fc12 Created attachment 388531 [details]
Patch to fix the buffer overflow.
star-1.5-9.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update star'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1424 star-1.5-9.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |