Bug 596264

Summary: Segfault when decoding DMI data in dmi_processor_id()
Product: Red Hat Enterprise Linux 5 Reporter: David Sommerseth <davids>
Component: python-dmidecodeAssignee: Roman Rakus <rrakus>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: urgent    
Version: 5.5CC: azelinka, davids, jhutar, jplans, jscotka, mmello, mosvald, ndevos, ovasik, rrakus, syeghiay, tao, tsmetana, williams
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 583867
: 621146 627901 1058872 1058873 (view as bug list) Environment:
Last Closed: 2013-09-23 11:19:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 583867    
Bug Blocks: 596133, 621146, 621837, 1058872    
Attachments:
Description Flags
Patch fixing the SEGV issue
none
strace of command
none
Patches fixing dmi_string() NULL issues none

Comment 1 David Sommerseth 2010-05-26 13:58:13 UTC 
Created attachment 416844 [details]
Patch fixing the SEGV issue
Comment 2 David Sommerseth 2010-05-26 14:00:47 UTC 
The attached patch is sent upstream for inclusion.  Will expect an answer in a couple of days.  A new python-dmidecode version is expected to land shortly afterwards.
Comment 11 Jan Ščotka 2010-08-31 13:27:56 UTC 
Created attachment 442185 [details]
strace of command

Hi,
it is same as in bug in RHEL5
https://bugzilla.redhat.com/show_bug.cgi?id=596264
Problem is propable somewhere in python-dmidecode.

when it causes Segmentation fault:
# rpm -qa python-dmidecode
python-dmidecode-3.10.12-1.el6.x86_64

used dmi binary dumped file from bug above.
some few last lines from strace:
_____________________________________________
fstat(4, {st_mode=S_IFREG|0755, st_size=185072, ...}) = 0
open("/usr/lib64/python2.6/site-packages/dmidecodemod.so", O_RDONLY) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\321\0\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=185072, ...}) = 0
mmap(NULL, 2280264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f811426f000
mprotect(0x7f8114298000, 2097152, PROT_NONE) = 0
mmap(0x7f8114498000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x29000) = 0x7f8114498000
close(5)                                = 0
open("/sys/firmware/efi/systab", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/efi/systab", O_RDONLY)      = -1 ENOENT (No such file or directory)
open("/dev/mem", O_RDONLY)              = 5
mmap(NULL, 65536, PROT_READ, MAP_SHARED, 5, 0xf0000) = 0x7f811bb06000
munmap(0x7f811bb06000, 65536)           = 0
close(5)                                = 0
close(4)                                = 0
close(3)                                = 0
stat("dmi.dmp", {st_mode=S_IFREG|0664, st_size=1755, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
open("/usr/share/python-dmidecode/pymap.xml", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f811bb15000
read(3, "<?xml version=\"1.0\" encoding=\"UT"..., 16384) = 16384
lseek(3, 0, SEEK_CUR)                   = 16384
lseek(3, 0, SEEK_SET)                   = 0
read(3, "<?xml version=\"1.0\" encoding=\"UT"..., 4096) = 4096
read(3, "ze\"/>\n      </Map>\n    </TypeMap"..., 4096) = 4096
read(3, "luetype=\"dict\">\n          <Map k"..., 4096) = 4096
read(3, "mory Module Size\"\n              "..., 4096) = 4096
read(3, "     <Map keytype=\"constant\" key"..., 4096) = 4096
brk(0x2350000)                          = 0x2350000
read(3, "nabled\"     valuetype=\"boolean\" "..., 4096) = 4096
read(3, "stant\" key=\"Data Start Offset\" v"..., 4096) = 4096
brk(0x2371000)                          = 0x2371000
read(3, "e=\"dict\">\n        <Map keytype=\""..., 4096) = 4096
read(3, "ct\">\n          <Map keytype=\"con"..., 4096) = 4096
read(3, "      valuetype=\"string\" value=\""..., 4096) = 4096
brk(0x2392000)                          = 0x2392000
read(3, "ing\" value=\"Description\"/>\n     "..., 4096) = 4096
read(3, "ement Device Threshold Data -->\n"..., 4096) = 3995
brk(0x23b3000)                          = 0x23b3000
read(3, "", 4096)                       = 0
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f811bb15000, 4096)            = 0
access("dmi.dmp", R_OK)                 = 0
open("dmi.dmp", O_RDONLY)               = 3
mmap(NULL, 32, PROT_READ, MAP_SHARED, 3, 0) = 0x7f811bb15000
munmap(0x7f811bb15000, 32)              = 0
close(3)                                = 0
open("dmi.dmp", O_RDONLY)               = 3
mmap(NULL, 1755, PROT_READ, MAP_SHARED, 3, 0) = 0x7f811bb15000
munmap(0x7f811bb15000, 1755)            = 0
close(3)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Comment 21 David Sommerseth 2011-01-06 15:53:37 UTC 
Created attachment 472083 [details]
Patches fixing dmi_string() NULL issues

This is a new patch, which should solve the NULL issues we've seen related to dmi_string() in a much better way.

This patch includes the patch found in attachment #416844 [details] and a different solution for the attachment #471968 [details].

-----------------------------------------------------------------------
commit 7253bbeed7f6d00bd796019d79dc1fe0a805fa8e
Author: David Sommerseth <davids>
Date:   Wed May 26 15:39:19 2010 +0200

    Fixed an issue causing SEGV on some hardware when dmi_processor_id() is called
    
    The dmi_processor_id() function did not check the char *version pointer if it
    was NULL before doing strcmp().  On some hardware, *version will be NULL.


commit 10a2d8bd43934966dd842fd8f401f0d679d0d66a
Author: David Sommerseth <davids>
Date:   Thu Jan 6 13:44:25 2011 +0100

    Implemented dmixml_AddDMIstring()
    
    This function can be used instead of dmi_string() and
    dmixml_AddTextChild().  In those cases where dmi_string() returns
    NULL, this situation is handled more gracefully.  In addition of
    also handling "not specified" situations better as well.
    
    Signed-off-by: David Sommerseth <davids>


commit 734d025ce6503851447f5a3dd08b107425f8b515
Author: David Sommerseth <davids>
Date:   Thu Jan 6 13:47:42 2011 +0100

    Make use of dmixml_AddDMIstring() where possible
    
    This modifies the core DMI decoding to make use of the new
    dmixml_AddDMIstring() function instead of the older, more error prone
    approach of dmi_string() and dmixml_AddTextChild().
    
    Signed-off-by: David Sommerseth <davids>


commit d6987c53d3648d85e410ef81a343867e239eb960
Author: David Sommerseth <davids>
Date:   Thu Jan 6 15:56:24 2011 +0100

    Harden dmi_string() calls with better NULL checks
    
    This patch fixes more potential issues where dmi_string() results
    was not necessarily checked for NULL, which potentially could lead
    to SEGV issues.
    
    Signed-off-by: David Sommerseth <davids>
-----------------------------------------------------------------------

All these patches are sent upstream and commit 7253bbeed7f6d00bd796019d79dc1fe0a805fa8e is already accepted and can be found in python-dmidecode-3.10.13.