Bug 1236367 - apcaccess crashes if run without apcupsd running
Summary: apcaccess crashes if run without apcupsd running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: apcupsd
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michal Hlavinka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-28 10:04 UTC by Przemek Klosowski
Modified: 2016-02-17 04:23 UTC (History)
1 user (show)

Fixed In Version: apcupsd-3.14.13-4.fc23 apcupsd-3.14.13-2.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-26 20:56:28 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Przemek Klosowski 2015-06-28 10:04:46 UTC
Description of problem:
apcaccess crashes if run without apcupsd running

Version-Release number of selected component (if applicable):
apcupsd-3.14.13-1.fc22.x86_64

How reproducible:
every time

Steps to Reproduce:
1.run 'apcaccess` without starting the apcupsd service

Actual results:
*** buffer overflow detected ***: apcaccess terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x77e9d)[0x7fa5fbbbfe9d]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fa5fbc5b9f7]
/lib64/libc.so.6(+0x111b90)[0x7fa5fbc59b90]
/lib64/libc.so.6(+0x113967)[0x7fa5fbc5b967]
apcaccess(+0x44da)[0x7fa5fcbec4da]
apcaccess(+0x468f)[0x7fa5fcbec68f]
apcaccess(+0x2e96)[0x7fa5fcbeae96]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7fa5fbb68790]
apcaccess(+0x31f9)[0x7fa5fcbeb1f9]


Expected results:
no crash, error message about not being able to talk to apcupsd

Comment 1 Przemek Klosowski 2015-06-28 10:34:48 UTC
The crash seems to happen in net_nbytes(), in apclibnis.c:77, while preparing
file descriptors FD_SET(fd, &fds); for the select() call

Program received signal SIGABRT, Aborted.
0x00007ffff6fa4a98 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
55	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) where
#0  0x00007ffff6fa4a98 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007ffff6fa672a in __GI_abort () at abort.c:89
#2  0x00007ffff6fe7ea2 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff70f8696 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff70839f7 in __GI___fortify_fail (msg=msg@entry=0x7ffff70f863c "buffer overflow detected") at fortify_fail.c:31
#4  0x00007ffff7081b90 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff7083967 in __fdelt_chk (d=<optimized out>) at fdelt_chk.c:25
#6  0x00005555555584da in read_nbytes (fd=fd@entry=-111, ptr=ptr@entry=0x7fffffff4d76 "", nbytes=nbytes@entry=2) at apclibnis.c:77
#7  0x000055555555868f in net_recv (sockfd=-111, buff=0x7fffffffe0e0 "q\006 \230\001", maxlen=257) at apclibnis.c:170
#8  0x0000555555556e96 in do_pthreads_status (flags=0, par=<optimized out>, port=3551, host=0x7fffffffe0d0 "localhost") at apcaccess.c:60
#9  main (argc=<optimized out>, argv=<optimized out>) at apcaccess.c:223

Comment 2 Przemek Klosowski 2015-06-28 11:03:07 UTC
The FD_SET() function calls __fdelt_chk() on the file descriptor, which aborts for negative file descriptors. 

The problem is in net_open(); according to its own API contract in the leading comments, it's supposed to return -1 (INVALID_SOCKET) on error, but instead it returns all kinds of errno-related errors. Subsequently, the check for invalid fd in do_pthreads_status at apcaccess.c:52

52	   if ((sockfd = net_open(host, NULL, port)) == INVALID_SOCKET) {

is ineffective and passes on bad socketfds for processing.

Comment 3 Fedora Update System 2015-11-23 14:26:25 UTC
apcupsd-3.14.13-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-d09886fa52

Comment 4 Fedora Update System 2015-11-23 14:26:44 UTC
apcupsd-3.14.13-2.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-e8eded3b5a

Comment 5 Fedora Update System 2015-11-24 00:23:38 UTC
apcupsd-3.14.13-2.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update apcupsd'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-e8eded3b5a

Comment 6 Fedora Update System 2015-11-24 00:54:18 UTC
apcupsd-3.14.13-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update apcupsd'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-482e23724e

Comment 7 Fedora Update System 2015-11-24 02:22:57 UTC
apcupsd-3.14.13-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update apcupsd'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-d09886fa52

Comment 8 Fedora Update System 2015-11-26 20:56:18 UTC
apcupsd-3.14.13-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2016-02-17 04:23:50 UTC
apcupsd-3.14.13-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.