Bug 153685 - initlog may read past end of buffer
initlog may read past end of buffer
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
:
Depends On:
Blocks: 143575 145411
  Show dependency treegraph
 
Reported: 2005-04-04 19:28 EDT by Seth Robertson
Modified: 2014-03-16 22:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 14:17:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to resolve problem (506 bytes, patch)
2005-04-04 19:29 EDT, Seth Robertson
no flags Details | Diff

  None (edit)
Description Seth Robertson 2005-04-04 19:28:31 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050328 Firefox/1.0.2

Description of problem:
You allocate 8k, read 8k, and then in getline read bytes without
bounding the size of data.  If you actually did read 8k, then you can
read over the end of the array.


Version-Release number of selected component (if applicable):
initscripts-7.93.5-1 and CVS HEAD

How reproducible:
Always

Steps to Reproduce:
1. valgrind --tool=memcheck ./initlog -q -c "yes a very very very very very long even large string which will be printed very often"

2.
3.
  

Actual Results:  ==30387== Invalid read of size 1
==30387==    at 0x1B904747: memcpy (mac_replace_strmem.c:300)
==30387==    by 0x804971E: getLine (initlog.c:139)
==30387==    by 0x804ADB9: monitor (process.c:211)
==30387==    by 0x804B2F7: runCommand (process.c:315)
==30387==  Address 0x1BC7C6A8 is 0 bytes after a block of size 8192 alloc'd
==30387==    at 0x1B90540D: calloc (vg_replace_malloc.c:176)
==30387==    by 0x804AC52: monitor (process.c:191)
==30387==    by 0x804B2F7: runCommand (process.c:315)
==30387==    by 0x804A5B4: processArgs (initlog.c:426)


Additional info:

Patch in a few moments (stupid bugzilla)
Comment 1 Seth Robertson 2005-04-04 19:29:24 EDT
Created attachment 112693 [details]
Patch to resolve problem
Comment 2 Bill Nottingham 2005-04-05 14:17:40 EDT
You shouldn't look at that code, it's bad for you. :)

Added in CVS, thanks.

Note You need to log in before you can comment on or make changes to this bug.