Red Hat Bugzilla – Bug 157773
mklost+found crashes with buffer overflow
Last modified: 2007-11-30 17:11:06 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko) Description of problem: # mklost+found mklost+found 1.37 (21-Mar-2005) *** buffer overflow detected ***: mklost+found terminated ======= Backtrace: ========= /lib/libc.so.6(__chk_fail+0x41)[0x83b345] /lib/libc.so.6(__vsprintf_chk+0x0)[0x83ac10] /lib/libc.so.6(_IO_default_xsputn+0x97)[0x7bd918] /lib/libc.so.6(_IO_vfprintf+0x1b05)[0x799877] /lib/libc.so.6(__vsprintf_chk+0xa1)[0x83acb1] /lib/libc.so.6(__sprintf_chk+0x30)[0x83ac04] mklost+found[0x804880f] /lib/libc.so.6(__libc_start_main+0xc6)[0x771de6] mklost+found[0x8048691] ======= Memory map: ======== 0073f000-00759000 r-xp 00000000 fd:00 97846 /lib/ld-2.3.5.so 00759000-0075a000 r-xp 00019000 fd:00 97846 /lib/ld-2.3.5.so 0075a000-0075b000 rwxp 0001a000 fd:00 97846 /lib/ld-2.3.5.so 0075d000-00881000 r-xp 00000000 fd:00 97847 /lib/libc-2.3.5.so 00881000-00883000 r-xp 00124000 fd:00 97847 /lib/libc-2.3.5.so 00883000-00885000 rwxp 00126000 fd:00 97847 /lib/libc-2.3.5.so 00885000-00887000 rwxp 00885000 00:00 0 008a1000-008a2000 r-xp 008a1000 00:00 0 00914000-0091d000 r-xp 00000000 fd:00 97857 /lib/libgcc_s-4.0.0-20050428.so .1 0091d000-0091e000 rwxp 00009000 fd:00 97857 /lib/libgcc_s-4.0.0-20050428.so .1 08048000-08049000 r-xp 00000000 fd:00 839572 /usr/sbin/mklost+found 08049000-0804a000 rw-p 00000000 fd:00 839572 /usr/sbin/mklost+found 08740000-08761000 rw-p 08740000 00:00 0 [heap] b7cce000-b7ccf000 r--p 00f36000 fd:00 839310 /usr/lib/locale/locale-archive b7ccf000-b7cd5000 r--p 00f0c000 fd:00 839310 /usr/lib/locale/locale-archive b7cd5000-b7d02000 r--p 00eda000 fd:00 839310 /usr/lib/locale/locale-archive b7d02000-b7f02000 r--p 00000000 fd:00 839310 /usr/lib/locale/locale-archive b7f02000-b7f04000 rw-p b7f02000 00:00 0 bf8f5000-bf90b000 rw-p bf8f5000 00:00 0 [stack] Aborted Version-Release number of selected component (if applicable): 1.37-3 How reproducible: Couldn't Reproduce Steps to Reproduce: I couldn't reproduce it, presumably it changed something on the first run that prevented it from reproducing. The test was run on known good hardware (IBM desktop P3-800 machine which passes memtest86 tests) with a clean FC4T3 install. Additional info:
someone forgot to count a terminating null character :) --- e2fsprogs-1.37/misc/mklost+found.c~ 2005-08-22 12:00:11.492666288 +0200 +++ e2fsprogs-1.37/misc/mklost+found.c 2005-08-22 12:00:11.492666288 +0200 @@ -55,9 +55,9 @@ int main (int argc, char ** argv) } i = 0; - memset (name, 'x', 252); + memset (name, 'x', 251); do { - sprintf (name + 252, "%02d", i); + sprintf (name + 251, "%02d", i); strcpy (path, LPF); strcat (path, "/"); strcat (path, name); @@ -73,7 +73,7 @@ int main (int argc, char ** argv) } } while (st.st_size <= (EXT2_NDIR_BLOCKS - 1) * st.st_blksize); for (j = 0; j < i; j++) { - sprintf (name + 252, "%02d", j); + sprintf (name + 251, "%02d", j); strcpy (path, LPF); strcat (path, "/"); strcat (path, name);
better fix: --- e2fsprogs-1.37/misc/mklost+found.c.org 2005-08-22 12:07:27.674991551 +0200 +++ e2fsprogs-1.37/misc/mklost+found.c 2005-08-22 12:07:39.313586038 +0200 @@ -55,9 +55,9 @@ int main (int argc, char ** argv) } i = 0; - memset (name, 'x', 252); + memset (name, 'x', 251); do { - sprintf (name + 252, "%02d", i); + sprintf (name + 251, "%03d", i); strcpy (path, LPF); strcat (path, "/"); strcat (path, name); @@ -73,7 +73,7 @@ int main (int argc, char ** argv) } } while (st.st_size <= (EXT2_NDIR_BLOCKS - 1) * st.st_blksize); for (j = 0; j < i; j++) { - sprintf (name + 252, "%02d", j); + sprintf (name + 251, "%03d", j); strcpy (path, LPF); strcat (path, "/"); strcat (path, name);
Fixed in rawhide in rpm e2fsprogs-1.38-2.1 or newer.