Bug 153987 - Kudzu segfaults with some Firewire controllers due to improperly checked fd
Kudzu segfaults with some Firewire controllers due to improperly checked fd
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: kudzu (Show other bugs)
rawhide
All Linux
medium Severity high
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-06 09:49 EDT by Daniel de Kok
Modified: 2014-03-16 22:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-06 13:19:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel de Kok 2005-04-06 09:49:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050327 Firefox/1.0.2 (Debian package 1.0.2-1.0.libranet.1)

Description of problem:
Kudzu segfaults on some machines that have a firewire controller, due to an incorrectly checked file descriptor. The code allows bufFromFd to be called with a file descriptor < 0, causing a segfault due to a memset called in bufFromFd.

Version-Release number of selected component (if applicable):
CVS

How reproducible:
Always

Steps to Reproduce:
1. kudzu -p

Actual Results:  The relevant information from a backtrace:

---
Program received signal SIGSEGV, Segmentation fault.
0xb7f0878b in memset () from /lib/tls/libc.so.6
#0  0xb7f0878b in memset () from /lib/tls/libc.so.6
No symbol table info available.
#1  0x08051328 in bufFromFd (fd=-1) at kudzu.c:587
	sbuf = {st_dev = 13257478449905010208, __pad1 = 1568, st_ino = 3086747168, st_mode = 135081096, st_nlink = 2, st_uid = 16, st_gid = 3086747168, 
  st_rdev = 13257478140667362400, __pad2 = 1, st_size = -1073744648, st_blksize = -1209005885, st_blocks = -1208220128, st_atim = {tv_sec = 5, tv_nsec = -1208222624}, 
  st_mtim = {tv_sec = -1208222624, tv_nsec = 135081048}, st_ctim = {tv_sec = -1073743608, tv_nsec = -1073744616}, __unused4 = 3085813524, __unused5 = 3221222720}
	buf = 0x0
	bytes = 0
	tmpbuf = "8����#���\221\004\by:<\a�\214\004\b���P\221��\003\000\000\000\210��\000\000\000\000\001\000\000\000���\000\000\000\000���`��\000\000\000\000y:<\ap���\000\220��\000\020\002\000�2\000\000�\037\r\b�\"\r\b\000\020\002\000\000\000\000\000`\026\v\b�\"\r\b", '\0' <repeats 16 times>, "\004\000\000\0008a\021\b\234a\021\b\233a\021\b\234a\021\b\001\000\000\000\000\000\000\000\000@\000\000\026Z��\234\221��\210��\001\000\000\000\000\000\000\000\001\000\000\000p����\b�\b@\000\000 \006�4\231\006\bl\000\000\000�\221"...
#2  0x08063f0d in firewireProbe (probeClass=CLASS_UNSPEC, probeFlags=1, devlist=0x80d2be0) at firewire.c:102
	path = "/sys/bus/ieee1394/devices/000048000003d0fc-0/model_name_kv\000\000 \006�`�� \006�\001\000\000\000�����\b� \006�\b\000\000\000`��\b\000\000\000�\212\006\b����\026m��+\r\b\000\000\000\000\b\000\000\000T\201\006\b\022\000\000\000�n\000\000�n\000\000\000\000\000\000\000\000\001", '\0' <repeats 13 times>, "\001", '\0' <repeats 31 times>, "�\000\000\000H&\r\be/\177\017�+\r\bH1440\000�?\000\000\000\000�%\r\b"...
	specifier_id = 0x8116d58 "0x00609e"
	version = 0x8117d60 "0x010483"
	dir = (DIR *) 0x8115d38
	entry = (struct dirent *) 0x8115d94
	fd = -1
	fwdev = (struct firewireDevice *) 0x80d2c58
	loaded_driver = 0
---

Expected Results:  No segfault.

Additional info:

Patch:

Index: firewire.c
===================================================================
RCS file: /usr/local/CVS/kudzu/firewire.c,v
retrieving revision 1.9
diff -b -u -r1.9 firewire.c
--- firewire.c	26 Aug 2004 08:04:15 -0000	1.9
+++ firewire.c	6 Apr 2005 13:31:21 -0000
@@ -98,7 +98,7 @@
 					fwdev->next = devlist;
 				snprintf(path,255,"/sys/bus/ieee1394/devices/%s/model_name_kv",entry->d_name);
 				fd = open(path, O_RDONLY);
-				if (fd) {
+				if (fd >= 0) {
 					fwdev->desc = bufFromFd(fd);
 					fwdev->desc[strlen(fwdev->desc) - 1] = '\0';
 				} else
Comment 1 Bill Nottingham 2005-04-06 13:14:23 EDT
Added in CVS, will be in the next build. Thanks!

Note You need to log in before you can comment on or make changes to this bug.