137182 – Short buffer allocation in getModuleLocation can cause boot failure

Bug 137182 - Short buffer allocation in getModuleLocation can cause boot failure

Summary: Short buffer allocation in getModuleLocation can cause boot failure

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	anaconda
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Jeremy Katz
QA Contact:	Mike McLean
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-10-26 15:27 UTC by Andrew Mann
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-04-24 19:04:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Andrew Mann 2004-10-26 15:27:32 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7)
Gecko/20040614 Firefox/0.9

Description of problem:
In the file loader2/modules.c, in the function getModuleLocation() the
following code appears:

    if (version == 1) {
        ret = malloc(strlen(u.release) + strlen(arch) + 1);
        sprintf(ret, "%s/%s", u.release, arch);
        return ret;

  The malloc should allocate + 2 extra bytes, not 1, since the
following sprintf adds 1 extra character and needs a terminating NULL.
  If the release string length + arch string length + 1 is a multiple
of the underlying allocation alignment size, the terminating NULL may
be overwritten by other variables.

  Trouble involving this came up when using a 23 character long kernel
release string with i386 arch strlen(release/arch)=28.  The symptoms
were that attempts to load the first module set (vgafb16.o) provided
maps with the module location having an extra non-printable character
appended after i386.  When printed, the maps looked like:
"kernel-release/i386 /vgafb16.o".  The modules failed to load and the
system failed to boot.

  The line "error ## reading header: cpio: read failed - No such file
or directory." will display on the console (though there are many
other more likely reasons for this appearing as well).

Version-Release number of selected component (if applicable):
anaconda-9.1.3

How reproducible:
Always

Steps to Reproduce:
1. Build an i386 kernel with a release string of length mod 4 = 3
(i.e. 23 characters long) based off the 2.4.21-20.EL1 kernel.
2. Create a boot disk using this kernel.
3. Attempt to boot from the boot disk.


Actual Results:  The kernel will load, and proceed normally to
"running /sbin/loader".  It will then fail to load modules and fail
the rest of the boot process.

Expected Results:  The disk should continue the boot process.

Additional info:

This bug may occur in different circumstances on other architectures. 
Changing the allocation to:
 malloc(strlen(u.release) + strlen(arch) + 2);
  
 resolved the issue.

Maked as high due to simplicity of fix, and the potential to cause
infinite frustration attempting to track down an elusive bug.

Comment 1 Jeremy Katz 2004-10-26 22:46:40 UTC

Fixed in CVS on the RHEL3 branch.  Same as bug 115948 from -HEAD

Comment 2 Jeremy Katz 2006-04-24 19:04:04 UTC

Mass-closing lots of old bugs which are in MODIFIED (and thus presumed to be
fixed).  If any of these are still a problem, please reopen or file a new bug
against the release which they're occurring in so they can be properly tracked.

Note You need to log in before you can comment on or make changes to this bug.