Bug 635559

Summary: buffer overflow in star revisited
Product: Red Hat Enterprise Linux 6 Reporter: Ondrej Vasik <ovasik>
Component: starAssignee: Ondrej Vasik <ovasik>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: azelinka, ovasik, robatino, wolfgang.pichler
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 632384 Environment:
Last Closed: 2011-06-03 10:30:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 632384    
Bug Blocks:    

Description Ondrej Vasik 2010-09-20 07:31:01 UTC 
+++ This bug was initially created as a clone of Bug #632384 +++

Description of problem:


same as bug 556664 for f12

my stacktrace :

*** buffer overflow detected ***: star terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x2e3fcd]
/lib/libc.so.6[0x2e1ffa]
/lib/libc.so.6(__strcpy_chk+0x44)[0x2e12d4]
star[0x806e15d]
star[0x805d9e4]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805eb7f]
star[0x804c201]
star[0x804ecbb]
/lib/libc.so.6(__libc_start_main+0xe6)[0x202cc6]
star[0x804a121]
======= Memory map: ========
001ca000-001e8000 r-xp 00000000 fd:00 5450       /lib/ld-2.12.so
001e8000-001e9000 r--p 0001d000 fd:00 5450       /lib/ld-2.12.so
001e9000-001ea000 rw-p 0001e000 fd:00 5450       /lib/ld-2.12.so
001ec000-00371000 r-xp 00000000 fd:00 5452       /lib/libc-2.12.so
00371000-00372000 ---p 00185000 fd:00 5452       /lib/libc-2.12.so
00372000-00374000 r--p 00185000 fd:00 5452       /lib/libc-2.12.so
00374000-00375000 rw-p 00187000 fd:00 5452       /lib/libc-2.12.so
00375000-00378000 rw-p 00000000 00:00 0
00397000-0039a000 r-xp 00000000 fd:00 5760       /lib/libdl-2.12.so
0039a000-0039b000 r--p 00002000 fd:00 5760       /lib/libdl-2.12.so
0039b000-0039c000 rw-p 00003000 fd:00 5760       /lib/libdl-2.12.so
004ec000-00508000 r-xp 00000000 fd:00 7590       /lib/libselinux.so.1
00508000-00509000 r--p 0001b000 fd:00 7590       /lib/libselinux.so.1
00509000-0050a000 rw-p 0001c000 fd:00 7590       /lib/libselinux.so.1
00652000-0065e000 r-xp 00000000 fd:00 5461       /lib/libnss_files-2.12.so
0065e000-0065f000 r--p 0000b000 fd:00 5461       /lib/libnss_files-2.12.so
0065f000-00660000 rw-p 0000c000 fd:00 5461       /lib/libnss_files-2.12.so
00810000-00817000 r-xp 00000000 fd:00 12902      /lib/libacl.so.1.1.0
00817000-00818000 rw-p 00006000 fd:00 12902      /lib/libacl.so.1.1.0
0098e000-00994000 r-xp 00000000 fd:00 69172      /lib/libnss_winbind.so.2
00994000-00995000 rw-p 00006000 fd:00 69172      /lib/libnss_winbind.so.2
00995000-0099a000 rw-p 00000000 00:00 0
00ba3000-00ba4000 r-xp 00000000 00:00 0          [vdso]
00deb000-00def000 r-xp 00000000 fd:00 11351      /lib/libattr.so.1.1.0
00def000-00df0000 rw-p 00003000 fd:00 11351      /lib/libattr.so.1.1.0
05459000-05476000 r-xp 00000000 fd:00 7671       /lib/libgcc_s-4.4.4-20100630.so.1
05476000-05477000 rw-p 0001d000 fd:00 7671       /lib/libgcc_s-4.4.4-20100630.so.1
08047000-08097000 r-xp 00000000 fd:00 33236      /usr/bin/star
08097000-0809a000 rw-p 0004f000 fd:00 33236      /usr/bin/star
0809a000-080b0000 rw-p 00000000 00:00 0
0901f000-09040000 rw-p 00000000 00:00 0          [heap]
6f767000-9f76b000 rw-p 00000000 00:00 0
9f76b000-b7788000 rw-s 00000000 00:04 29415      /dev/zero (deleted)
b7788000-b778a000 rw-p 00000000 00:00 0
b7799000-b779b000 rw-p 00000000 00:00 0
bfd6d000-bfdbb000 rw-p 00000000 00:00 0          [stack]

invoking command :

star -c -v -time -fifostats -multivol VOLHDR="2010_09_09__18_37 DATA" new-volume-script=/rbin/mtchgR.pl f=/dev/nst0 H=exustar -xfflags -xattr -sparse fs=384m errctl=/tmp/s2t.61pDJmbmKd -C /srv/save samba grass streeruwitz IMG2

/tmp/s2t.61pDJmbmKd :

GETXATTR *
GETACL *
READLINK *
MISSLINK *
SPECIALFILE *

last path processed :

a samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip/mz_2002_1_quartal_metadaten_forschung_und_lehre_LatestReleased_021828.zip 2137684 bytes, 4176 tape blocks

yield ERRNO 134

------------------------

rpm -qv star : star-1.5.1-2.fc13.i686

/usr/bin/star --version : star: star 1.5.1 (i686-redhat-linux-gnu)

coredump-file (abrt) available upon request ;-))

--- Additional comment from ovasik on 2010-09-11 07:18:09 EDT ---

Thanks for report - I don't think that this is dupe of #556664 - as that bug was fixed in f13 branch as well ... see http://pkgs.fedoraproject.org/gitweb/?p=star.git;a=shortlog;h=refs/heads/f13/master and changelog of star-1.5.1-2.fc13 package. Maybe another instance or incomplete fix...

Could you please provide backtrace with star debuginfo installed? TIA.

--- Additional comment from wolfgang.pichler.ac.at on 2010-09-11 08:01:26 EDT ---

#0  0x00ba3416 in __kernel_vsyscall ()
#1  0x00216d11 in raise () from /lib/libc.so.6
#2  0x002185ea in abort () from /lib/libc.so.6
#3  0x00254b9d in __libc_message () from /lib/libc.so.6
#4  0x002e3fcd in __fortify_fail () from /lib/libc.so.6
#5  0x002e1ffa in __chk_fail () from /lib/libc.so.6
#6  0x002e12d4 in __strcpy_chk () from /lib/libc.so.6
#7  0x0806e15d in strcpy (info=0xbfd9216c, ptb=0xbfd91eec)
    at /usr/include/bits/string3.h:107
#8  name_to_tcb (info=0xbfd9216c, ptb=0xbfd91eec) at longnames.c:201
#9  0x0805d9e4 in createi (
    sname=0xbfd9425a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip/mz_2004_2_quartal_metadaten_arbeitsorganisation_und_arbeitszeitgestaltung__LatestReleased_021833.zip",
    name=0xbfd9425a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip/mz_2004_2_quartal_metadaten_arbeitsorganisation_und_arbeitszeitgestaltung__LatestReleased_021833.zip", namlen=169, info=0xbfd9216c, last=0xbfd92234)
    at create.c:556
#10 0x0805e7fe in put_dir (
    sname=0xbfd985ca "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip", name=<value optimized out>, namlen=69, info=0xbfd964dc,
    last=0xbfd965a4) at create.c:1648
#11 createi (
    sname=0xbfd985ca "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip", name=<value optimized out>, namlen=69, info=0xbfd964dc,
    last=0xbfd965a4) at create.c:580
#12 0x0805e7fe in put_dir (
    sname=0xbfd9c93a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus", name=<value optimized out>, namlen=65, info=0xbfd9a84c,
    last=0xbfd9a914) at create.c:1648
#13 createi (
    sname=0xbfd9c93a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus", name=<value optimized out>, namlen=65, info=0xbfd9a84c,
    last=0xbfd9a914) at create.c:580
#14 0x0805e7fe in put_dir (
    sname=0xbfda0caa "samba/public/other/Leth/PENDOways2go/DATEN/testdaten",
    name=<value optimized out>, namlen=53, info=0xbfd9ebbc, last=0xbfd9ec84)
    at create.c:1648
#15 createi (
    sname=0xbfda0caa "samba/public/other/Leth/PENDOways2go/DATEN/testdaten",
    name=<value optimized out>, namlen=53, info=0xbfd9ebbc, last=0xbfd9ec84)
    at create.c:580
#16 0x0805e7fe in put_dir (
    sname=0xbfda501a "samba/public/other/Leth/PENDOways2go/DATEN",
    name=<value optimized out>, namlen=43, info=0xbfda2f2c, last=0xbfda2ff4)
    at create.c:1648
#17 createi (sname=0xbfda501a "samba/public/other/Leth/PENDOways2go/DATEN",
    name=<value optimized out>, namlen=43, info=0xbfda2f2c, last=0xbfda2ff4)
    at create.c:580
#18 0x0805e7fe in put_dir (
    sname=0xbfda938a "samba/public/other/Leth/PENDOways2go",
    name=<value optimized out>, namlen=37, info=0xbfda729c, last=0xbfda7364)
    at create.c:1648
#19 createi (sname=0xbfda938a "samba/public/other/Leth/PENDOways2go",
    name=<value optimized out>, namlen=37, info=0xbfda729c, last=0xbfda7364)
    at create.c:580
#20 0x0805e7fe in put_dir (sname=0xbfdad6fa "samba/public/other/Leth",
    name=<value optimized out>, namlen=24, info=0xbfdab60c, last=0xbfdab6d4)
    at create.c:1648
#21 createi (sname=0xbfdad6fa "samba/public/other/Leth",
    name=<value optimized out>, namlen=24, info=0xbfdab60c, last=0xbfdab6d4)
    at create.c:580
#22 0x0805e7fe in put_dir (sname=0xbfdb1a6a "samba/public/other",
    name=<value optimized out>, namlen=19, info=0xbfdaf97c, last=0xbfdafa44)
    at create.c:1648
#23 createi (sname=0xbfdb1a6a "samba/public/other",
    name=<value optimized out>, namlen=19, info=0xbfdaf97c, last=0xbfdafa44)
    at create.c:580
#24 0x0805e7fe in put_dir (sname=0xbfdb5dda "samba/public",
    name=<value optimized out>, namlen=13, info=0xbfdb3cec, last=0xbfdb3db4)
    at create.c:1648
#25 createi (sname=0xbfdb5dda "samba/public", name=<value optimized out>,
    namlen=13, info=0xbfdb3cec, last=0xbfdb3db4) at create.c:580
#26 0x0805e7fe in put_dir (sname=0xbfdba338 "samba",
    name=<value optimized out>, namlen=6, info=0xbfdb8018, last=0x0)
    at create.c:1648
#27 createi (sname=0xbfdba338 "samba", name=<value optimized out>, namlen=6,
    info=0xbfdb8018, last=0x0) at create.c:580
#28 0x0805eb7f in create (name=0xbfdba338 "samba", Hflag=0, forceadd=0)
    at create.c:472
#29 0x0804c201 in star_create (ac=4, av=0xbfdb8388) at star.c:775
#30 0x0804ecbb in main (ac=21, av=0xbfdb8344) at star.c:546


greez w

--- Additional comment from ovasik on 2010-09-13 10:51:42 EDT ---

Thanks, so it is same issue but on different line ... will fix that soon...

--- Additional comment from wolfgang.pichler.ac.at on 2010-09-13 15:48:30 EDT ---

great
next run of star is scheduled thu 18:00 mest ;-))

--- Additional comment from updates on 2010-09-15 10:06:19 EDT ---

star-1.5.1-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/star-1.5.1-4.fc14

--- Additional comment from updates on 2010-09-15 10:08:17 EDT ---

star-1.5.1-4.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/star-1.5.1-4.fc13

--- Additional comment from updates on 2010-09-15 18:33:13 EDT ---

star-1.5.1-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update star'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/star-1.5.1-4.fc13

--- Additional comment from wolfgang.pichler.ac.at on 2010-09-16 03:46:42 EDT ---

(In reply to comment #7)

thank you for the fast patch - i'll test it today /w apporx 700gb ...
Comment 2 Suzanne Logcher 2011-02-15 21:42:47 UTC 
This issue was proposed for RHEL 6.1 FasTrack but did not get resolved in time.
It has been moved to RHEL 6.2 FasTrack.
Comment 3 wolfgang pichler 2011-02-16 06:31:15 UTC 
bug is not more reproducible since upgrade to fc14

i suppose eof-handling change in st-driver-code was improved so star was not disrupted by funny things bumped up from this special dlt-v4 device i use with star ...
... but i have no evidence for this : it is an assumption, not more

i would suggest to close the bug
if it occurs again i am prepared to reopen it again and we can start over again
Comment 4 Ondrej Vasik 2011-02-16 07:12:11 UTC 
That bugzilla is about RHEL-6 - and is tracking the issue there. In RHEL-6 it was still not fixed because of the limited capacity for updates. Of course, in Fedora it is already fixed for a long time. Feel free to remove yourself from the CC list if you are not interested in watching the situation for RHEL-6.
Comment 7 Ondrej Vasik 2011-06-03 10:30:39 UTC 
Could be considered as duplicate - as these two are closely related (same issue but on different places of source code) ... let's simplify it and mark it as dup.

*** This bug has been marked as a duplicate of bug 611402 ***