1343809 – like mdadm --detail --scan causes SIGABRT

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1343809 - like mdadm --detail --scan causes SIGABRT

Summary: like mdadm --detail --scan causes SIGABRT

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	mdadm
Sub Component:
Version:	6.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Jes Sorensen
QA Contact:	guazhang@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1269194 1346447 1347749 1347808
TreeView+	depends on / blocked

Reported:	2016-06-08 03:31 UTC by nikhil kshirsagar
Modified:	2019-11-14 08:19 UTC (History)
CC List:	10 users (show)
Fixed In Version:	mdadm-3.3.4-4.el6
Doc Type:	No Doc Update
Doc Text:	The command "mdadm --detail --scan" will cause an error if the device name that it needs to store is larger than 20 characters. To address this issue, a check was added for the device name length. If a long device name is used, the command will fail and a log message will be generated.
Clone Of:
Clones:	1347749 1347808 (view as bug list)
Environment:
Last Closed:	2017-03-21 08:58:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
core (356.00 KB, application/x-core) 2016-06-08 03:31 UTC, nikhil kshirsagar	no flags	Details
mdadm packages installed (1.36 MB, image/bmp) 2016-06-08 03:32 UTC, nikhil kshirsagar	no flags	Details
sosreport (8.01 MB, application/x-xz) 2016-06-08 03:33 UTC, nikhil kshirsagar	no flags	Details
logs (97.82 KB, text/plain) 2016-06-08 03:35 UTC, nikhil kshirsagar	no flags	Details
2nd core (352.00 KB, application/x-core) 2016-06-08 05:16 UTC, nikhil kshirsagar	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0569	0	normal	SHIPPED_LIVE	mdadm bug fix update	2017-03-21 12:22:18 UTC

Description nikhil kshirsagar 2016-06-08 03:31:54 UTC

Created attachment 1165816 [details]
core

Description of problem:
basic mdadm commands (like mdadm --detail --scan) causes SIGABRT

Version-Release number of selected component (if applicable):
mdadm-3.3.4-1.el6

How reproducible:
No reproducer in-house.



Additional info:

mdadm is segfaulting for commands like mdadm --detail --scan /dev/md0

Here's the valgrind trace I have collected after installing the debuginfo on the customer system.


[root@ocztest ken]# valgrind mdadm --detail --scan /dev/md0
==28382== Memcheck, a memory error detector
==28382== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==28382== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==28382== Command: mdadm --detail --scan /dev/md0
==28382== 
**28382** *** strcpy_chk: buffer overflow detected ***: program terminated
==28382==    at 0x4A0AC53: VALGRIND_PRINTF_BACKTRACE (valgrind.h:4550)
==28382==    by 0x4A0AE10: __strcpy_chk (mc_replace_strmem.c:1192)
==28382==    by 0x44FE58: sysfs_read (string3.h:105)
==28382==    by 0x41CDF9: Detail (Detail.c:106)
==28382==    by 0x405ED2: main (mdadm.c:1747)
==28382== 
==28382== HEAP SUMMARY:
==28382==     in use at exit: 34,170 bytes in 29 blocks
==28382==   total heap usage: 34 allocs, 5 frees, 35,900 bytes allocated
==28382== 
==28382== LEAK SUMMARY:
==28382==    definitely lost: 0 bytes in 0 blocks
==28382==    indirectly lost: 0 bytes in 0 blocks
==28382==      possibly lost: 33,232 bytes in 2 blocks
==28382==    still reachable: 938 bytes in 27 blocks
==28382==         suppressed: 0 bytes in 0 blocks
==28382== Rerun with --leak-check=full to see details of leaked memory
==28382== 
==28382== For counts of detected and suppressed errors, rerun with: -v
==28382== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)

Some extra info I asked them to collect:

[root@ocztest ~]# mdadm -I /dev/md0
mdadm: no recognisable superblock on /dev/md0.
[root@ocztest ~]# 

[root@ocztest dev]# mdadm -vv --detail /dev/md0
*** buffer overflow detected ***: mdadm terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3a93f026d7]
/lib64/libc.so.6[0x3a93f005c0]
mdadm[0x44fe59]
mdadm[0x41cdfa]
mdadm[0x405ed3]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3a93e1ed1d]
mdadm[0x402ce9]
======= Memory map: ========
00400000-0046e000 r-xp 00000000 fd:00 2764808                            /sbin/mdadm
0066e000-00675000 rw-p 0006e000 fd:00 2764808                            /sbin/mdadm
00675000-00688000 rw-p 00000000 00:00 0 
01ece000-01eef000 rw-p 00000000 00:00 0                                  [heap]
3a93a00000-3a93a20000 r-xp 00000000 fd:00 262152                         /lib64/ld-2.12.so
3a93c1f000-3a93c21000 r--p 0001f000 fd:00 262152                         /lib64/ld-2.12.so
3a93c21000-3a93c22000 rw-p 00021000 fd:00 262152                         /lib64/ld-2.12.so
3a93c22000-3a93c23000 rw-p 00000000 00:00 0 
3a93e00000-3a93f8a000 r-xp 00000000 fd:00 262174                         /lib64/libc-2.12.so
3a93f8a000-3a9418a000 ---p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418a000-3a9418e000 r--p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418e000-3a94190000 rw-p 0018e000 fd:00 262174                         /lib64/libc-2.12.so
3a94190000-3a94194000 rw-p 00000000 00:00 0 
3a98a00000-3a98a16000 r-xp 00000000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98a16000-3a98c15000 ---p 00016000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98c15000-3a98c16000 rw-p 00015000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
7f44b0369000-7f44b036c000 rw-p 00000000 00:00 0 
7f44b0383000-7f44b0385000 rw-p 00000000 00:00 0 
7ffc9f708000-7ffc9f71d000 rw-p 00000000 00:00 0                          [stack]
7ffc9f7f2000-7ffc9f7f3000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)
[root@ocztest dev]# 

execve("/sbin/mdadm", ["mdadm", "--detail", "/dev/md0"], [/* 54 vars */]) = 0
brk(0)                                  = 0x88e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff832496000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=94345, ...}) = 0
mmap(NULL, 94345, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff83247e000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\356\341\223:\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1930416, ...}) = 0
mmap(0x3a93e00000, 3750184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a93e00000
mprotect(0x3a93f8a000, 2097152, PROT_NONE) = 0
mmap(0x3a9418a000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18a000) = 0x3a9418a000
mmap(0x3a94190000, 14632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3a94190000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff83247d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff83247c000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff83247b000
arch_prctl(ARCH_SET_FS, 0x7ff83247c700) = 0
mprotect(0x3a9418a000, 16384, PROT_READ) = 0
mprotect(0x3a93c1f000, 8192, PROT_READ) = 0
munmap(0x7ff83247e000, 94345)           = 0
getpid()                                = 2326
brk(0)                                  = 0x88e000
brk(0x8af000)                           = 0x8af000
open("/etc/mdadm.conf", O_RDONLY)       = -1 ENOENT (No such file or directory)
open("/etc/mdadm/mdadm.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/mdadm.conf.d", O_RDONLY)     = -1 ENOENT (No such file or directory)
uname({sys="Linux", node="ocztest", ...}) = 0
geteuid()                               = 0
open("/dev/md0", O_RDONLY)              = 3
uname({sys="Linux", node="ocztest", ...}) = 0
fstat(3, {st_mode=S_IFBLK|0660, st_rdev=makedev(9, 0), ...}) = 0
ioctl(3, RAID_VERSION, 0x7fffd8dbec00)  = 0
ioctl(3, RAID_VERSION, 0x7fffd8dbcb40)  = 0
fstat(3, {st_mode=S_IFBLK|0660, st_rdev=makedev(9, 0), ...}) = 0
readlink("/sys/dev/block/9:0", "../../devices/virtual/block/md0", 199) = 31
open("/sys/block/md0/md/metadata_version", O_RDONLY) = 4
read(4, "1.2\n", 1024)                  = 4
close(4)                                = 0
open("/sys/block/md0/md/", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
fcntl(4, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
getdents(4, /* 35 entries */, 32768)    = 1200
open("/sys/block/md0/md/dev-oczpcie_23_0_ssd/slot", O_RDONLY) = 5
read(5, "1\n", 1024)                    = 2
close(5)                                = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = 5
writev(5, [{"*** ", 4}, {"buffer overflow detected", 24}, {" ***: ", 6}, {"mdadm", 5}, {" terminated\n", 12}], 5*** buffer overflow detected ***: mdadm terminated
) = 51
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff832495000
open("/etc/ld.so.cache", O_RDONLY)      = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=94345, ...}) = 0
mmap(NULL, 94345, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7ff832463000
close(6)                                = 0
open("/lib64/libgcc_s.so.1", O_RDONLY)  = 6
read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20)\240\230:\0\0\0"..., 832) = 832
fstat(6, {st_mode=S_IFREG|0755, st_size=93320, ...}) = 0
mmap(0x3a98a00000, 2186584, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x3a98a00000
mprotect(0x3a98a16000, 2093056, PROT_NONE) = 0
mmap(0x3a98c15000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x15000) = 0x3a98c15000
close(6)                                = 0
munmap(0x7ff832463000, 94345)           = 0
write(5, "======= Backtrace: =========\n", 29======= Backtrace: =========
) = 29
writev(5, [{"/lib64/libc.so.6", 16}, {"(", 1}, {"__fortify_fail", 14}, {"+0x", 3}, {"37", 2}, {")", 1}, {"[0x", 3}, {"3a93f026d7", 10}, {"]\n", 2}], 9/lib64/libc.so.6(__fortify_fail+0x37)[0x3a93f026d7]
) = 52
writev(5, [{"/lib64/libc.so.6", 16}, {"[0x", 3}, {"3a93f005c0", 10}, {"]\n", 2}], 4/lib64/libc.so.6[0x3a93f005c0]
) = 31
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"44fe59", 6}, {"]\n", 2}], 4mdadm[0x44fe59]
) = 16
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"41cdfa", 6}, {"]\n", 2}], 4mdadm[0x41cdfa]
) = 16
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"405ed3", 6}, {"]\n", 2}], 4mdadm[0x405ed3]
) = 16
writev(5, [{"/lib64/libc.so.6", 16}, {"(", 1}, {"__libc_start_main", 17}, {"+0x", 3}, {"fd", 2}, {")", 1}, {"[0x", 3}, {"3a93e1ed1d", 10}, {"]\n", 2}], 9/lib64/libc.so.6(__libc_start_main+0xfd)[0x3a93e1ed1d]
) = 55
writev(5, [{"mdadm", 5}, {"[0x", 3}, {"402ce9", 6}, {"]\n", 2}], 4mdadm[0x402ce9]
) = 16
write(5, "======= Memory map: ========\n", 29======= Memory map: ========
) = 29
open("/proc/self/maps", O_RDONLY)       = 6
read(6, "00400000-0046e000 r-xp 00000000 "..., 1024) = 1024
write(5, "00400000-0046e000 r-xp 00000000 "..., 102400400000-0046e000 r-xp 00000000 fd:00 2764808                            /sbin/mdadm
0066e000-00675000 rw-p 0006e000 fd:00 2764808                            /sbin/mdadm
00675000-00688000 rw-p 00000000 00:00 0 
0088e000-008af000 rw-p 00000000 00:00 0                                  [heap]
3a93a00000-3a93a20000 r-xp 00000000 fd:00 262152                         /lib64/ld-2.12.so
3a93c1f000-3a93c21000 r--p 0001f000 fd:00 262152                         /lib64/ld-2.12.so
3a93c21000-3a93c22000 rw-p 00021000 fd:00 262152                         /lib64/ld-2.12.so
3a93c22000-3a93c23000 rw-p 00000000 00:00 0 
3a93e00000-3a93f8a000 r-xp 00000000 fd:00 262174                         /lib64/libc-2.12.so
3a93f8a000-3a9418a000 ---p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418a000-3a9418e000 r--p 0018a000 fd:00 262174                         /lib64/libc-2.12.so
3a9418e000-3a94190000 rw-p 0018e000 fd:00 262174                         /lib64/libc-2.12.so
3a94190000-3a94194000 rw-p 00000000 00:00 0) = 1024
read(6, " \n3a98a00000-3a98a16000 r-xp 000"..., 1024) = 672
write(5, " \n3a98a00000-3a98a16000 r-xp 000"..., 672 
3a98a00000-3a98a16000 r-xp 00000000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98a16000-3a98c15000 ---p 00016000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
3a98c15000-3a98c16000 rw-p 00015000 fd:00 262294                         /lib64/libgcc_s-4.4.7-20120601.so.1
7ff83247b000-7ff83247e000 rw-p 00000000 00:00 0 
7ff832495000-7ff832497000 rw-p 00000000 00:00 0 
7fffd8daf000-7fffd8dc4000 rw-p 00000000 00:00 0                          [stack]
7fffd8dd5000-7fffd8dd6000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
) = 672
read(6, "", 1024)                       = 0
close(6)                                = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(2326, 2326, SIGABRT)             = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2326, si_uid=0} ---
+++ killed by SIGABRT (core dumped) +++
Aborted (core dumped)
[root@ocztest dev]# 

Attaching core and their mdadm installed packages list to the bz.

Comment 1 nikhil kshirsagar 2016-06-08 03:32:44 UTC

Created attachment 1165817 [details]
mdadm packages installed

Comment 2 nikhil kshirsagar 2016-06-08 03:33:51 UTC

Created attachment 1165818 [details]
sosreport

Comment 3 nikhil kshirsagar 2016-06-08 03:35:25 UTC

Created attachment 1165819 [details]
logs

Comment 8 nikhil kshirsagar 2016-06-08 05:16:44 UTC

Created attachment 1165827 [details]
2nd core

Comment 10 nikhil kshirsagar 2016-06-08 05:30:26 UTC

(gdb) frame 7
#7  0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0", c=0x7fffe35ef590) at Detail.c:106
106		sra = sysfs_read(fd, NULL, GET_VERSION|GET_DEVS);

(gdb) info locals
fd = 3
vers = 9003
array = {major_version = 0, minor_version = 0, patch_version = 0, ctime = 0, level = 0, size = 0, nr_disks = 0, raid_disks = 0, md_minor = 0, not_persistent = 0, utime = 0, state = 0, active_disks = 0, working_disks = 0, 
  failed_disks = 0, spare_disks = 0, layout = 0, chunk_size = 0}
disks = <value optimized out>
next = <value optimized out>
d = <value optimized out>
atime = <value optimized out>
str = <value optimized out>
devices = 0x0
max_devices = 0
n_devices = 0
spares = 0
stb = {st_dev = 0, st_ino = 0, st_nlink = 0, st_mode = 0, st_uid = 0, st_gid = 0, __pad0 = 0, st_rdev = 0, st_size = 0, st_blksize = 0, st_blocks = 0, st_atim = {tv_sec = 0, tv_nsec = 0}, st_mtim = {tv_sec = 0, tv_nsec = 0}, st_ctim = {
    tv_sec = 0, tv_nsec = 0}, __unused = {0, 0, 0}}
is_26 = 1
is_rebuilding = 0
failed = 0
st = <value optimized out>
subarray = 0x0
max_disks = 27
info = 0x0
sra = <value optimized out>
subdev = <value optimized out>
member = 0x0
container = 0x0
rv = 1
avail_disks = 0
avail = 0x0
external = <value optimized out>
inactive = <value optimized out>

(gdb) p sra
$1 = <value optimized out>

(gdb) where
#0  0x0000003a93e325e5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003a93e33dc5 in abort () at abort.c:92
#2  0x0000003a93e704f7 in __libc_message (do_abort=2, fmt=0x3a93f578cf "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x0000003a93f026d7 in __fortify_fail (msg=0x3a93f57875 "buffer overflow detected") at fortify_fail.c:32
#4  0x0000003a93f005c0 in __chk_fail () at chk_fail.c:29
#5  0x000000000044fe59 in strcpy (fd=<value optimized out>, devnm=<value optimized out>, options=<value optimized out>) at /usr/include/bits/string3.h:105
#6  sysfs_read (fd=<value optimized out>, devnm=<value optimized out>, options=<value optimized out>) at sysfs.c:272
#7  0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0", c=0x7fffe35ef590) at Detail.c:106
#8  0x0000000000405ed3 in misc_list (argc=<value optimized out>, argv=<value optimized out>) at mdadm.c:1747
#9  main (argc=<value optimized out>, argv=<value optimized out>) at mdadm.c:1425
(gdb) frame 8
#8  0x0000000000405ed3 in misc_list (argc=<value optimized out>, argv=<value optimized out>) at mdadm.c:1747
1747				rv |= Detail(dv->devname, c);

(gdb) frame 7
#7  0x000000000041cdfa in Detail (dev=0x7fffe35f1473 "/dev/md0", c=0x7fffe35ef590) at Detail.c:106
106		sra = sysfs_read(fd, NULL, GET_VERSION|GET_DEVS);
(gdb) print *c
$2 = {readonly = 0, runstop = 0, verbose = 0, brief = 0, force = 0, homehost = 0x7fffe35ef800 "ocztest", require_homehost = 1, prefer = 0x0, export = 0, test = 0, subarray = 0x0, update = 0x0, scan = 0, SparcAdjust = 0, autof = 0, 
  delay = 0, freeze_reshape = 0, backup_file = 0x0, invalid_backup = 0, action = 0x0}
(gdb)

Comment 11 nikhil kshirsagar 2016-06-08 05:46:15 UTC

(gdb) frame 6
#6  sysfs_read (fd=<value optimized out>, devnm=<value optimized out>, options=<value optimized out>) at sysfs.c:272
272			strcpy(dev->sys_name, de->d_name);
(gdb) info locals
ep = 0x0
fname = "/sys/block/md0/md/dev-oczpcie_23_0_ssd/slot", '\000' <repeats 3597 times>, "x\317^\343\377\177\000\000\005\000\000\000\000\000\000\000\377\377\377\377\377\377\377\377\000\000\000\000\000\000\000\000x\317^\343\377\177\000\000\002\000\000\000\000\000\000\000\006\000\000\000\000\000\000\000\020@T\001\000\000\000\000\000\371^\343\377\177\000\000\000\000\000\000\000\000\000\000O\377@", '\000' <repeats 13 times>, "\b\320^\343\377\177\000\000Linux", '\000' <repeats 60 times>, "ocztest", '\000' <repeats 58 times>, "2.6.32-642.el6.x86_64", '\000' <repeats 44 times>, "#1 S"...
buf = "1", '\000' <repeats 4094 times>
base = <value optimized out>
dbase = 0x7fffe35ec107 "slot"
sra = <value optimized out>
dev = 0x154c630
devp = 0x15445b8
dir = 0x15445f0
de = 0x1544860
(gdb) print *dev
$7 = {array = {major_version = 0, minor_version = 0, patch_version = 0, ctime = 0, level = 0, size = 0, nr_disks = 0, raid_disks = 0, md_minor = 0, not_persistent = 0, utime = 0, state = 0, active_disks = 0, working_disks = 0, 
    failed_disks = 0, spare_disks = 0, layout = 0, chunk_size = 0}, disk = {number = 0, major = 0, minor = 0, raid_disk = 0, state = 0}, events = 0, uuid = {0, 0, 0, 0}, name = '\000' <repeats 32 times>, data_offset = 0, 
  new_data_offset = 0, component_size = 0, custom_array_size = 0, reshape_active = 0, reshape_progress = 0, recovery_blocked = 0, space_before = 0, space_after = 0, {resync_start = 0, recovery_start = 0}, bitmap_offset = 0, 
  safe_mode_delay = 0, new_level = 0, delta_disks = 0, new_layout = 0, new_chunk = 0, errors = 0, cache_size = 0, mismatch_cnt = 0, text_version = '\000' <repeats 49 times>, container_member = 0, container_enough = 0, 
  sys_name = "dev-oczpcie_23_0_ssd", devs = 0x0, next = 0x0, recovery_fd = 0, state_fd = 0, prev_state = 0, curr_state = 0, next_state = 0}
(gdb) print *de
$8 = {d_ino = 14458, d_off = 14471, d_reclen = 40, d_type = 4 '\004', 
  d_name = "dev-oczpcie_23_0_ssd\000\207\070\000\000\000\000\000\000\264\070\000\000\000\000\000\000(\000\004dev-oczpcie_11_0_ssd\000\264\070\000\000\000\000\000\000\265\070\000\000\000\000\000\000 \000\bsync_action\000\b\265\070\000\000\000\000\000\000\266\070\000\000\000\000\000\000(\000\blast_sync_action\000\000\000\000\b\266\070\000\000\000\000\000\000\267\070\000\000\000\000\000\000 \000\bmismatch_cnt\000\267\070\000\000\000\000\000\000\270\070\000\000\000\000\000\000(\000\bsync_speed_min\000\000\000\000\000\000\b\270\070\000\000\000\000\000\000\271"...}
(gdb) 

The line that causes the fault is "sysfs.c" line 272

                strcpy(dev->sys_name, de->d_name);

de->d_name doesnt appear to be null terminated ?


(gdb) ptype dev
type = struct mdinfo {
    mdu_array_info_t array;
    mdu_disk_info_t disk;
    __u64 events;
    int uuid[4];
    char name[33];
    long long unsigned int data_offset;
    long long unsigned int new_data_offset;
    long long unsigned int component_size;
    long long unsigned int custom_array_size;
    int reshape_active;
    long long unsigned int reshape_progress;
    int recovery_blocked;
    long long unsigned int space_before;
    long long unsigned int space_after;
    union {
        long long unsigned int resync_start;
        long long unsigned int recovery_start;
    };
    long int bitmap_offset;
    long unsigned int safe_mode_delay;
    int new_level;
    int delta_disks;
    int new_layout;
    int new_chunk;
    int errors;
    long unsigned int cache_size;
    int mismatch_cnt;
    char text_version[50];
    int container_member;
    int container_enough;
    char sys_name[20];             <--- just 20 chars.
    struct mdinfo *devs;
    struct mdinfo *next;
    int recovery_fd;
    int state_fd;
    int prev_state;
    int curr_state;
    int next_state;
} *
(gdb)

Comment 22 guazhang@redhat.com 2016-10-25 07:28:52 UTC

The size of array has been changed to 32 byts in mdadm.h on mdadm-3.3.4-4.el6
From https://bugzilla.redhat.com/show_bug.cgi?id=1347808#c14, customer has verified this fix.

thanks 
Guazhang

Comment 24 errata-xmlrpc 2017-03-21 08:58:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0569.html

Note You need to log in before you can comment on or make changes to this bug.