RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1448397 - dmfilemapd segfault with wrong number of arguments
Summary: dmfilemapd segfault with wrong number of arguments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: lvm2
Version: 7.4
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Bryn M. Reeves
QA Contact: cluster-qe@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-05 11:03 UTC by Bryn M. Reeves
Modified: 2021-09-03 12:54 UTC (History)
9 users (show)

Fixed In Version: lvm2-2.02.171-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 21:54:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2222 0 normal SHIPPED_LIVE lvm2 bug fix and enhancement update 2017-08-01 18:42:41 UTC

Description Bryn M. Reeves 2017-05-05 11:03:16 UTC 
Description of problem:
If the dmfilemapd daemon is run with the wrong number of arguments it will segfault after printing the usage message:

# dmfilemapd 
Wrong number of arguments.
usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]]
Segmentation fault (core dumped)

This is because the struct filemap_monitor (that stores the context the daemon is monitoring) is not cleared until after the argument count has been checked in _parse_args(): this means that an error is returned to main() which will then attempt to free the fm.path pointer. As the struct has not been initialised this field contains garbage from the stack.

Version-Release number of selected component (if applicable):
lvm2-2.02.171.el7
device-mapper-1.02.140-1.el7

How reproducible:
100%

Steps to Reproduce:
1. dmfilemapd

Actual results:
# dmfilemapd 
Wrong number of arguments.
usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]]
Segmentation fault (core dumped)

Expected results:
# dmfilemapd 
Wrong number of arguments.
usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]]

Additional info:

Fixed upstream:

commit 7fbeea30e5ce4dbb4877910877575ed6c37dfb8c
Author: Bryn M. Reeves <bmr>
Date:   Fri May 5 11:48:54 2017 +0100

    dmfilemapd: clear filemap_monitor before calling _parse_args()
    
    If the wrong number of arguments are given, main() will attempt
    to free the uninitialised pointer in fm.path.
Comment 1 Bryn M. Reeves 2017-05-08 16:19:47 UTC 
Coverity spotted another error in dmfilemapd: a local variable that can now be accessed before its assignment when the monitored file is unlinked. If possible we should also pull this fix in:

commit a9940d16fe5251f2f1d7cb008cfd3be1bfb50120
Author: Bryn M. Reeves <bmr>
Date:   Mon May 8 17:10:25 2017 +0100

    dmfilemapd: always initialise 'same' local variable (Coverity)
    
    Fix a regression introduced in 70bb726 that allows a local variable
    in the monitored file checking routine to be accessed before its
    assignment when the file has already been unlinked.
Comment 2 Bryn M. Reeves 2017-05-10 13:09:41 UTC 
This is the fix for this bug:

commit 7fbeea30e5ce4dbb4877910877575ed6c37dfb8c
Author: Bryn M. Reeves <bmr>
Date:   Fri May 5 11:48:54 2017 +0100

    dmfilemapd: clear filemap_monitor before calling _parse_args()
    
    If the wrong number of arguments are given, main() will attempt
    to free the uninitialised pointer in fm.path.

The following commit isn't directly related but was made while reviewing changes for this bug:

commit a9940d16fe5251f2f1d7cb008cfd3be1bfb50120
Author: Bryn M. Reeves <bmr>
Date:   Mon May 8 17:10:25 2017 +0100

    dmfilemapd: always initialise 'same' local variable (Coverity)
    
    Fix a regression introduced in 70bb726 that allows a local variable
    in the monitored file checking routine to be accessed before its
    assignment when the file has already been unlinked.
Comment 4 Roman Bednář 2017-05-31 12:12:01 UTC 
Marking verified.

BEFORE PATCH:

# dmfilemapd
Wrong number of arguments.
usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]]
Segmentation fault (core dumped)


AFTER PATCH:

# dmfilemapd 
Wrong number of arguments.
usage: dmfilemapd <fd> <group_id> <abs_path> <mode> [<foreground>[<log_level>]]


3.10.0-671.el7.x86_64

lvm2-2.02.171-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
lvm2-libs-2.02.171-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
lvm2-cluster-2.02.171-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
device-mapper-1.02.140-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
device-mapper-libs-1.02.140-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
device-mapper-event-1.02.140-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
device-mapper-event-libs-1.02.140-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
device-mapper-persistent-data-0.7.0-0.1.rc6.el7    BUILT: Mon Mar 27 17:15:46 CEST 2017
cmirror-2.02.171-2.el7    BUILT: Wed May 24 16:02:34 CEST 2017
Comment 5 errata-xmlrpc 2017-08-01 21:54:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2222
Note You need to log in before you can comment on or make changes to this bug.