Bug 157773 - mklost+found crashes with buffer overflow
mklost+found crashes with buffer overflow
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: e2fsprogs (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-15 02:23 EDT by Russell Coker
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-10 13:32:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Russell Coker 2005-05-15 02:23:09 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
# mklost+found 
mklost+found 1.37 (21-Mar-2005) 
*** buffer overflow detected ***: mklost+found terminated 
======= Backtrace: ========= 
/lib/libc.so.6(__chk_fail+0x41)[0x83b345] 
/lib/libc.so.6(__vsprintf_chk+0x0)[0x83ac10] 
/lib/libc.so.6(_IO_default_xsputn+0x97)[0x7bd918] 
/lib/libc.so.6(_IO_vfprintf+0x1b05)[0x799877] 
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x83acb1] 
/lib/libc.so.6(__sprintf_chk+0x30)[0x83ac04] 
mklost+found[0x804880f] 
/lib/libc.so.6(__libc_start_main+0xc6)[0x771de6] 
mklost+found[0x8048691] 
======= Memory map: ======== 
0073f000-00759000 r-xp 00000000 fd:00 97846      /lib/ld-2.3.5.so 
00759000-0075a000 r-xp 00019000 fd:00 97846      /lib/ld-2.3.5.so 
0075a000-0075b000 rwxp 0001a000 fd:00 97846      /lib/ld-2.3.5.so 
0075d000-00881000 r-xp 00000000 fd:00 97847      /lib/libc-2.3.5.so 
00881000-00883000 r-xp 00124000 fd:00 97847      /lib/libc-2.3.5.so 
00883000-00885000 rwxp 00126000 fd:00 97847      /lib/libc-2.3.5.so 
00885000-00887000 rwxp 00885000 00:00 0 
008a1000-008a2000 r-xp 008a1000 00:00 0 
00914000-0091d000 r-xp 00000000 fd:00 
97857      /lib/libgcc_s-4.0.0-20050428.so                                                                                                                                                   .1 
0091d000-0091e000 rwxp 00009000 fd:00 
97857      /lib/libgcc_s-4.0.0-20050428.so                                                                                                                                                   .1 
08048000-08049000 r-xp 00000000 fd:00 839572     /usr/sbin/mklost+found 
08049000-0804a000 rw-p 00000000 fd:00 839572     /usr/sbin/mklost+found 
08740000-08761000 rw-p 08740000 00:00 0          [heap] 
b7cce000-b7ccf000 r--p 00f36000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7ccf000-b7cd5000 r--p 00f0c000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7cd5000-b7d02000 r--p 00eda000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7d02000-b7f02000 r--p 00000000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7f02000-b7f04000 rw-p b7f02000 00:00 0 
bf8f5000-bf90b000 rw-p bf8f5000 00:00 0          [stack] 
Aborted 
 

Version-Release number of selected component (if applicable):
1.37-3

How reproducible:
Couldn't Reproduce

Steps to Reproduce:
I couldn't reproduce it, presumably it changed something on the first run that 
prevented it from reproducing. 
 
The test was run on known good hardware (IBM desktop P3-800 machine which 
passes memtest86 tests) with a clean FC4T3 install. 

Additional info:
Comment 1 Arjan van de Ven 2005-08-22 06:00:49 EDT
someone forgot to count a terminating null character :)

--- e2fsprogs-1.37/misc/mklost+found.c~ 2005-08-22 12:00:11.492666288 +0200
+++ e2fsprogs-1.37/misc/mklost+found.c  2005-08-22 12:00:11.492666288 +0200
@@ -55,9 +55,9 @@ int main (int argc, char ** argv)
        }

        i = 0;
-       memset (name, 'x', 252);
+       memset (name, 'x', 251);
        do {
-               sprintf (name + 252, "%02d", i);
+               sprintf (name + 251, "%02d", i);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);
@@ -73,7 +73,7 @@ int main (int argc, char ** argv)
                }
        } while (st.st_size <= (EXT2_NDIR_BLOCKS - 1) * st.st_blksize);
        for (j = 0; j < i; j++) {
-               sprintf (name + 252, "%02d", j);
+               sprintf (name + 251, "%02d", j);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);
Comment 2 Arjan van de Ven 2005-08-22 06:07:48 EDT
better fix:

--- e2fsprogs-1.37/misc/mklost+found.c.org      2005-08-22 12:07:27.674991551 +0200
+++ e2fsprogs-1.37/misc/mklost+found.c  2005-08-22 12:07:39.313586038 +0200
@@ -55,9 +55,9 @@ int main (int argc, char ** argv)
        }

        i = 0;
-       memset (name, 'x', 252);
+       memset (name, 'x', 251);
        do {
-               sprintf (name + 252, "%02d", i);
+               sprintf (name + 251, "%03d", i);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);
@@ -73,7 +73,7 @@ int main (int argc, char ** argv)
                }
        } while (st.st_size <= (EXT2_NDIR_BLOCKS - 1) * st.st_blksize);
        for (j = 0; j < i; j++) {
-               sprintf (name + 252, "%02d", j);
+               sprintf (name + 251, "%03d", j);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);
Comment 3 Thomas Woerner 2005-11-10 13:32:33 EST
Fixed in rawhide in rpm e2fsprogs-1.38-2.1 or newer.

Note You need to log in before you can comment on or make changes to this bug.