Bug 158405 - who: buffer overflow
Summary: who: buffer overflow
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: coreutils
Version: rawhide
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-21 20:41 UTC by Dieter Stolte
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 5.2.1-48
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-05 01:10:49 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Dieter Stolte 2005-05-21 20:41:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
> /usr/bin/who -Hliw
** buffer overflow detected ***: /usr/bin/who terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc0d415]
/lib/libc.so.6(__vsprintf_chk+0x0)[0xc0cce0]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0xb8f918]
/lib/libc.so.6(_IO_vfprintf+0x363f)[0xb6d3b1]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0xc0cd81]
/lib/libc.so.6(__sprintf_chk+0x30)[0xc0ccd4]
/usr/bin/who[0x804927b]
/usr/bin/who[0x8049c73]
/usr/bin/who[0x804a87f]
/lib/libc.so.6(__libc_start_main+0xc6)[0xb43de6]
/usr/bin/who[0x8048fb1]
======= Memory map: ========
006eb000-006f4000 r-xp 00000000 03:03 44906      /lib/libgcc_s-4.0.0-20050518.so.1
006f4000-006f5000 rwxp 00009000 03:03 44906      /lib/libgcc_s-4.0.0-20050518.so.1
00824000-00825000 r-xp 00824000 00:00 0
0093e000-00958000 r-xp 00000000 03:03 48262      /lib/ld-2.3.5.so
00958000-00959000 r-xp 00019000 03:03 48262      /lib/ld-2.3.5.so
00959000-0095a000 rwxp 0001a000 03:03 48262      /lib/ld-2.3.5.so
00b2f000-00c53000 r-xp 00000000 03:03 48269      /lib/libc-2.3.5.so
00c53000-00c55000 r-xp 00124000 03:03 48269      /lib/libc-2.3.5.so
00c55000-00c57000 rwxp 00126000 03:03 48269      /lib/libc-2.3.5.so
00c57000-00c59000 rwxp 00c57000 00:00 0
08048000-0804e000 r-xp 00000000 03:0c 378398     /usr/bin/who
0804e000-0804f000 rw-p 00005000 03:0c 378398     /usr/bin/who
085c2000-085e3000 rw-p 085c2000 00:00 0          [heap]
b7d2a000-b7d30000 r--s 00000000 03:0c 219342     /usr/lib/gconv/gconv-modules.cache
b7d30000-b7d6e000 r--p 00000000 03:0c 747260     /usr/share/locale/de/LC_MESSAGES/coreutils.mo
b7d6e000-b7f6e000 r--p 00000000 03:0c 344376     /usr/lib/locale/locale-archive
b7f6e000-b7f6f000 rw-p b7f6e000 00:00 0
b7f8b000-b7f8c000 rw-p b7f8b000 00:00 0
bfa77000-bfa8c000 rw-p bfa77000 00:00 0          [stack]
Abgebrochen


Version-Release number of selected component (if applicable):
coreutils-5.2.1-47

How reproducible:
Always

Steps to Reproduce:
1. LANG=de_DE.UTF-8 /usr/bin/who -Hliw
2.
3.
  

Actual Results:  see description

Expected Results:  it should work ;)

Additional info:

Comment 1 Tim Waugh 2005-05-23 16:30:25 UTC
Hmm, recompiling with -fno-inline makes the problem disappear.

Comment 2 Arjan van de Ven 2005-05-25 07:21:44 UTC
#define IDLESTR_LEN 6
...
in print_line():
  char x_idle[1 + IDLESTR_LEN + 1];
..
    sprintf (x_idle, " %-6s", idle);

where, for LANG=de_DE.UTF8, "idle" has the value 
"UNTÃTIG" which is 8 characters long (due to UTF8!) + terminating zero, and thus
overflows the x_idle buffer. 

gcc 1 - coreutils 0

Comment 5 Tim Waugh 2005-05-25 09:59:16 UTC
Fixed package is coreutils-5.2.1-48.


Note You need to log in before you can comment on or make changes to this bug.