Bug 785934

Summary: Buffer overflow in pstree
Product: [Fedora] Fedora Reporter: Robin Green <greenrd>
Component: psmiscAssignee: Jaromír Cápík <jcapik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: anderson, andreas.bierfert, fedora, jcapik, ktmdms, mtasaka, ovasik, psimerda, pwouters, rjones
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: psmisc-22.16-1.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-21 18:41:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposal patch
none
File: backtrace none

Description Robin Green 2012-01-30 22:34:38 UTC 
Description of problem:
pstree crashes immediately with a buffer overflow

Version-Release number of selected component (if applicable):
psmisc-22.15-1.fc17.x86_64

How reproducible:
Always

Steps to Reproduce:
1. pstree
  
Actual results:
*** buffer overflow detected ***: pstree terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f9b0a1fbba7]
/lib64/libc.so.6(+0x105d60)[0x7f9b0a1f9d60]
pstree[0x402f7b]
pstree[0x40318b]
pstree[0x401f67]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f9b0a115745]
pstree[0x4021a5]
======= Memory map: ========
00400000-00405000 r-xp 00000000 fd:02 26615025                           /usr/bin/pstree
00604000-00605000 r--p 00004000 fd:02 26615025                           /usr/bin/pstree
00605000-00606000 rw-p 00005000 fd:02 26615025                           /usr/bin/pstree
00ad3000-00af4000 rw-p 00000000 00:00 0                                  [heap]
7f9b038b1000-7f9b038c6000 r-xp 00000000 fd:02 26611358                   /lib64/libgcc_s-4.7.0-20120126.so.1
7f9b038c6000-7f9b03ac5000 ---p 00015000 fd:02 26611358                   /lib64/libgcc_s-4.7.0-20120126.so.1
7f9b03ac5000-7f9b03ac6000 rw-p 00014000 fd:02 26611358                   /lib64/libgcc_s-4.7.0-20120126.so.1
7f9b03ac6000-7f9b09ef0000 r--p 00000000 fd:02 3675213                    /usr/lib/locale/locale-archive
7f9b09ef0000-7f9b09ef3000 r-xp 00000000 fd:02 26611185                   /lib64/libdl-2.15.so
7f9b09ef3000-7f9b0a0f2000 ---p 00003000 fd:02 26611185                   /lib64/libdl-2.15.so
7f9b0a0f2000-7f9b0a0f3000 r--p 00002000 fd:02 26611185                   /lib64/libdl-2.15.so
7f9b0a0f3000-7f9b0a0f4000 rw-p 00003000 fd:02 26611185                   /lib64/libdl-2.15.so
7f9b0a0f4000-7f9b0a29e000 r-xp 00000000 fd:02 26611315                   /lib64/libc-2.15.so
7f9b0a29e000-7f9b0a49e000 ---p 001aa000 fd:02 26611315                   /lib64/libc-2.15.so
7f9b0a49e000-7f9b0a4a2000 r--p 001aa000 fd:02 26611315                   /lib64/libc-2.15.so
7f9b0a4a2000-7f9b0a4a4000 rw-p 001ae000 fd:02 26611315                   /lib64/libc-2.15.so
7f9b0a4a4000-7f9b0a4a9000 rw-p 00000000 00:00 0 
7f9b0a4a9000-7f9b0a4c6000 r-xp 00000000 fd:02 26611285                   /lib64/libselinux.so.1
7f9b0a4c6000-7f9b0a6c6000 ---p 0001d000 fd:02 26611285                   /lib64/libselinux.so.1
7f9b0a6c6000-7f9b0a6c7000 r--p 0001d000 fd:02 26611285                   /lib64/libselinux.so.1
7f9b0a6c7000-7f9b0a6c8000 rw-p 0001e000 fd:02 26611285                   /lib64/libselinux.so.1
7f9b0a6c8000-7f9b0a6c9000 rw-p 00000000 00:00 0 
7f9b0a6c9000-7f9b0a6ec000 r-xp 00000000 fd:02 26611243                   /lib64/libtinfo.so.5.9
7f9b0a6ec000-7f9b0a8eb000 ---p 00023000 fd:02 26611243                   /lib64/libtinfo.so.5.9
7f9b0a8eb000-7f9b0a8ef000 r--p 00022000 fd:02 26611243                   /lib64/libtinfo.so.5.9
7f9b0a8ef000-7f9b0a8f0000 rw-p 00026000 fd:02 26611243                   /lib64/libtinfo.so.5.9
7f9b0a8f0000-7f9b0a910000 r-xp 00000000 fd:02 26610987                   /lib64/ld-2.15.so
7f9b0aaf0000-7f9b0aaf4000 rw-p 00000000 00:00 0 
7f9b0ab0c000-7f9b0ab0f000 rw-p 00000000 00:00 0 
7f9b0ab0f000-7f9b0ab10000 r--p 0001f000 fd:02 26610987                   /lib64/ld-2.15.so
7f9b0ab10000-7f9b0ab11000 rw-p 00020000 fd:02 26610987                   /lib64/ld-2.15.so
7f9b0ab11000-7f9b0ab12000 rw-p 00000000 00:00 0 
7fffbd948000-7fffbd969000 rw-p 00000000 00:00 0                          [stack]
7fffbd9ff000-7fffbda00000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Expected results:
process tree
Comment 1 Robin Green 2012-01-30 22:36:13 UTC 
backtrace from gdb:

Program received signal SIGABRT, Aborted.
0x00007ffff76168d5 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x00007ffff76168d5 in __GI_raise (sig=sig@entry=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff7618088 in __GI_abort () at abort.c:91
#2  0x00007ffff7654fab in __libc_message (do_abort=do_abort@entry=2, 
    fmt=fmt@entry=0x7ffff7756a60 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007ffff76e8ba7 in __GI___fortify_fail (
    msg=msg@entry=0x7ffff7756a06 "buffer overflow detected")
    at fortify_fail.c:32
#4  0x00007ffff76e6d60 in __GI___chk_fail () at chk_fail.c:29
#5  0x0000000000402f7b in strcpy (__src=0x6107b0 "{nepomukservices}", 
    __dest=0x6107d0 "{nepomukservices}") at /usr/include/bits/string3.h:105
#6  new_proc (comm=0x6107b0 "{nepomukservices}", pid=554, uid=1000, 
    scontext=0x0) at pstree.c:267
#7  0x000000000040318b in add_proc (
    comm=comm@entry=0x6107b0 "{nepomukservices}", pid=554, 
    ppid=ppid@entry=270, uid=1000, args=args@entry=0x0, size=size@entry=0, 
    isthread=1 '\001', isthread@entry=64 '@', scontext=0x0) at pstree.c:350
#8  0x0000000000401f67 in read_proc () at pstree.c:695
#9  main (argc=<optimized out>, argv=<optimized out>) at pstree.c:990
Comment 2 Mamoru TASAKA 2012-02-25 06:37:34 UTC 
Not only x86_64 specific.
Comment 3 Mamoru TASAKA 2012-02-25 06:40:29 UTC 
Created attachment 565723 [details]
proposal patch

Apparently strcpy does not check the size of comm.
Comment 4 Mamoru TASAKA 2012-02-25 06:41:52 UTC 
*** Bug 797271 has been marked as a duplicate of this bug. ***
Comment 5 Mamoru TASAKA 2012-02-28 01:07:43 UTC 
The attached patch seems to have already applied in the newly released 22.16.
Comment 6 kevin martin 2012-02-29 19:52:18 UTC 
When might we see this in rawhide?
Comment 7 Richard W.M. Jones 2012-03-09 14:08:55 UTC 
Any chance of a fix for this in Rawhide and/or Fedora 17 updates-testing?
Comment 8 Mamoru TASAKA 2012-03-15 04:29:36 UTC 
Any chance that this bug gets fixed in F-17? Currently psmisc on F-17 is completely unusable.
Comment 9 Jaromír Cápík 2012-03-15 10:39:10 UTC 
Hello guys.

Sorry for the delay.
I updated rawhide to 22.16 on Monday. This version fixes the issue.
You can give it some positive karma if it works for you in f17 and/or f16 to speed the introduction up.

Regards,
Jaromir.
Comment 10 Fedora Update System 2012-03-15 10:39:56 UTC 
psmisc-22.16-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/psmisc-22.16-1.fc16
Comment 11 Fedora Update System 2012-03-15 10:40:06 UTC 
psmisc-22.16-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/psmisc-22.16-1.fc17
Comment 12 kevin martin 2012-03-15 17:48:31 UTC 
Working again now in rawhide.  Thanks.
Comment 13 Fedora Update System 2012-03-16 02:43:13 UTC 
Package psmisc-22.16-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing psmisc-22.16-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-3851/psmisc-22.16-1.fc17
then log in and leave karma (feedback).
Comment 14 Pavel Šimerda (pavlix) 2012-03-19 23:17:22 UTC 
It crashes when run.

backtrace_rating: 4
Package: psmisc-22.15-1.fc17
OS Release: Fedora release 17 (Beefy Miracle)
Comment 15 Pavel Šimerda (pavlix) 2012-03-19 23:17:27 UTC 
Created attachment 571239 [details]
File: backtrace
Comment 16 Richard W.M. Jones 2012-03-20 08:34:44 UTC 
Try the update (comment 13).
Comment 17 Fedora Update System 2012-03-21 18:41:03 UTC 
psmisc-22.16-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2012-03-22 01:54:49 UTC 
psmisc-22.16-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Jaromír Cápík 2012-05-10 12:30:51 UTC 
*** Bug 812459 has been marked as a duplicate of this bug. ***