Bug 151570 - Buffer overflow in strace
Buffer overflow in strace
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: strace (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Roland McGrath
Brian Brock
:
Depends On:
Blocks: FC4Blocker
  Show dependency treegraph
 
Reported: 2005-03-19 18:53 EST by Robin Green
Modified: 2007-11-30 17:11 EST (History)
6 users (show)

See Also:
Fixed In Version: 4.5.14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-03 04:32:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Typescript created using /usr/bin/script (4.35 KB, text/plain)
2005-03-19 18:56 EST, Robin Green
no flags Details

  None (edit)
Description Robin Green 2005-03-19 18:53:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050308 Firefox/1.0.1 Fedora/1.0.1-5

Description of problem:
Attaching strace to a running instance of X sometimes causes a buffer overflow to occur in strace. See attached typescript.

Version-Release number of selected component (if applicable):
strace-4.5.9-2

How reproducible:
Sometimes

Steps to Reproduce:
1. Ensure X is running
2. Ensure you are in a text virtual console (otherwise the machine might hang) 
3. strace -e signal=all -p `pidof X`

Actual Results:  Buffer overflow error. See attachment.

Expected Results:  No buffer overflow error.

Additional info:
Comment 1 Robin Green 2005-03-19 18:56:05 EST
Created attachment 112153 [details]
Typescript created using /usr/bin/script

I had to use /usr/bin/script to capture this, because the error gets written to
/dev/tty, not stderr.
Comment 2 Roland McGrath 2005-03-22 17:58:03 EST
This should already be fixed in the rawhide package (4.5.10-1).
Can you test that version?
Comment 3 Robin Green 2005-03-22 21:35:01 EST
It's still broken in 4.5.10-1.
Comment 4 Roland McGrath 2005-03-22 22:18:39 EST
This wasn't the bug I thought it was, but was a simple one.
I've fixed it upstream. 
Comment 5 Warren Togami 2005-05-28 04:33:05 EDT
Is this fixed in dist-fc4?
Comment 6 Joe Orton 2005-06-14 12:00:36 EDT
It looks like there is still a strace overflow in select() handling in the fc4
strace (strace-4.5.11-1): when stracing some test program I hit:

select(4, [3], NULL, NULL, {120, 0}*** buffer overflow detected ***: strace
terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x41d565]
/lib/libc.so.6(__vsprintf_chk+0x0)[0x41ce30]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0x39fb58]
/lib/libc.so.6(_IO_vfprintf+0xd92)[0x37aaf4]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x41ced1]
/lib/libc.so.6(__sprintf_chk+0x30)[0x41ce24]
strace[0x804f497]
strace[0x804c879]
strace[0x804ba80]
/lib/libc.so.6(__libc_start_main+0xc6)[0x353de6]
strace[0x80495d1]
Comment 7 dan ginsberg 2005-06-24 19:32:51 EDT
strace-4.5.11-1

( while stracing a monotone initial pull )

time(NULL)                              = 1119655481
ioctl(2, TIOCGWINSZ, {ws_row=24, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
write(2, "\rmonotone: [bytes in: 6.4M] [byt"..., 80) = 80
select(5, [4], [4], [4], {21600, 0})    = 1 (in [4], left {21600, 0})
select(5, [4], NULL, NULL, {21600, 0})  = 1 (in [4], left {21600, 0})
recv(4, "\224\275\fU \303Z\226]\177\0358w*b\271\3531\201\271\33"..., 4095, 0) =4095
time(NULL)                              = 1119655481
ioctl(2, TIOCGWINSZ, {ws_row=24, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
write(2, "\rmonotone: [bytes in: 6.4M] [byt"..., 80) = 80
select(5, [4], [4], [4], {21600, 0})    = 1 (in [4], left {21600, 0})
select(5, [4], NULL, NULL, {21600, 0})  = 1 (in [4], left {21600, 0})
recv(4, "\255\352:\342:f\344~\330\330\267\266\262D\265\307\230%"..., 4095, 0) =3742
time(NULL)                              = 1119655481
ioctl(2, TIOCGWINSZ, {ws_row=24, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0
write(2, "\rmonotone: [bytes in: 6.4M] [byt"..., 80) = 80
select(5, [4], [4], [4], {21600, 0}*** buffer overflow detected ***: strace
terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x8fc565]
/lib/libc.so.6(__vsprintf_chk+0x0)[0x8fbe30]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0x87eb58]
/lib/libc.so.6(_IO_vfprintf+0x1b05)[0x85a867]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x8fbed1]
/lib/libc.so.6(__sprintf_chk+0x30)[0x8fbe24]
strace[0x804f497]
strace[0x804c879]
strace[0x804ba80]
/lib/libc.so.6(__libc_start_main+0xc6)[0x832de6]
strace[0x80495d1]
======= Memory map: ========
005a2000-005ab000 r-xp 00000000 fd:00 7373866    /lib/libgcc_s-4.0.0-20050520.so.1
005ab000-005ac000 rwxp 00009000 fd:00 7373866    /lib/libgcc_s-4.0.0-20050520.so.1
00800000-0081a000 r-xp 00000000 fd:00 7372821    /lib/ld-2.3.5.so
0081a000-0081b000 r-xp 00019000 fd:00 7372821    /lib/ld-2.3.5.so
0081b000-0081c000 rwxp 0001a000 fd:00 7372821    /lib/ld-2.3.5.so
0081e000-00942000 r-xp 00000000 fd:00 7372823    /lib/libc-2.3.5.so
00942000-00944000 r-xp 00124000 fd:00 7372823    /lib/libc-2.3.5.so
00944000-00946000 rwxp 00126000 fd:00 7372823    /lib/libc-2.3.5.so
00946000-00948000 rwxp 00946000 00:00 0
00af5000-00af6000 r-xp 00af5000 00:00 0
08047000-08071000 r-xp 00000000 fd:00 5941209    /usr/bin/strace
08071000-08072000 rw-p 0002a000 fd:00 5941209    /usr/bin/strace
08072000-08079000 rw-p 08072000 00:00 0
09913000-09934000 rw-p 09913000 00:00 0          [heap]
b7f60000-b7f61000 rw-p b7f60000 00:00 0
b7f70000-b7f71000 rw-p b7f70000 00:00 0
bfe5b000-bfe71000 rw-p bfe5b000 00:00 0          [stack]
Aborted
Comment 8 Roland McGrath 2005-07-04 23:03:47 EDT
This is fixed upstream.  New package shortly.
Comment 9 P Fudd 2005-07-12 02:15:46 EDT
I also wanted to report strace dying with a buffer overflow in select().

# strace -p `pidof dhcpd`
Process 26092 attached - interrupt to quit
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
--- SIGSTOP (Stopped (signal)) @ 0 (0) ---
select(8, [4 6 7], [], [], {86373, 168000}
*** buffer overflow detected ***: strace terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x3fd565]
/lib/libc.so.6(__vsprintf_chk+0x0)[0x3fce30]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0x37fb58]
/lib/libc.so.6(_IO_vfprintf+0x1b05)[0x35b867]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x3fced1]
/lib/libc.so.6(__sprintf_chk+0x30)[0x3fce24]
strace[0x804f497]
strace[0x804c879]
strace[0x804ba80]
/lib/libc.so.6(__libc_start_main+0xc6)[0x333de6]
strace[0x80495d1]
======= Memory map: ========
002fd000-00317000 r-xp 00000000 fd:00 2783627    /lib/ld-2.3.5.so
00317000-00318000 r-xp 00019000 fd:00 2783627    /lib/ld-2.3.5.so
00318000-00319000 rwxp 0001a000 fd:00 2783627    /lib/ld-2.3.5.so
0031f000-00443000 r-xp 00000000 fd:00 2783628    /lib/libc-2.3.5.so
00443000-00445000 r-xp 00124000 fd:00 2783628    /lib/libc-2.3.5.so
00445000-00447000 rwxp 00126000 fd:00 2783628    /lib/libc-2.3.5.so
00447000-00449000 rwxp 00447000 00:00 0 
00689000-00692000 r-xp 00000000 fd:00 2783632    /lib/libgcc_s-4.0.0-20050520.so.1
00692000-00693000 rwxp 00009000 fd:00 2783632    /lib/libgcc_s-4.0.0-20050520.so.1
08047000-08071000 r-xp 00000000 fd:00 3545407    /usr/bin/strace
08071000-08072000 rwxp 0002a000 fd:00 3545407    /usr/bin/strace
08072000-08079000 rwxp 08072000 00:00 0 
09ac0000-09ae1000 rwxp 09ac0000 00:00 0          [heap]
b7f9c000-b7f9e000 rwxp b7f9c000 00:00 0 
b7fb9000-b7fba000 r-xp b7fb9000 00:00 0 
bfda5000-bfdba000 rw-p bfda5000 00:00 0          [stack]
Abort

Where do we get the new package?
Comment 10 Roland McGrath 2006-04-03 04:32:10 EDT
4.5.14 is in fc4 updates and in fc5

Note You need to log in before you can comment on or make changes to this bug.