This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 158405 - who: buffer overflow
who: buffer overflow
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: coreutils (Show other bugs)
rawhide
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-21 16:41 EDT by Dieter Stolte
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 5.2.1-48
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-04 21:10:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dieter Stolte 2005-05-21 16:41:13 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050512 Fedora/1.0.4-2 Firefox/1.0.4

Description of problem:
> /usr/bin/who -Hliw
** buffer overflow detected ***: /usr/bin/who terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xc0d415]
/lib/libc.so.6(__vsprintf_chk+0x0)[0xc0cce0]
/lib/libc.so.6(_IO_default_xsputn+0x97)[0xb8f918]
/lib/libc.so.6(_IO_vfprintf+0x363f)[0xb6d3b1]
/lib/libc.so.6(__vsprintf_chk+0xa1)[0xc0cd81]
/lib/libc.so.6(__sprintf_chk+0x30)[0xc0ccd4]
/usr/bin/who[0x804927b]
/usr/bin/who[0x8049c73]
/usr/bin/who[0x804a87f]
/lib/libc.so.6(__libc_start_main+0xc6)[0xb43de6]
/usr/bin/who[0x8048fb1]
======= Memory map: ========
006eb000-006f4000 r-xp 00000000 03:03 44906      /lib/libgcc_s-4.0.0-20050518.so.1
006f4000-006f5000 rwxp 00009000 03:03 44906      /lib/libgcc_s-4.0.0-20050518.so.1
00824000-00825000 r-xp 00824000 00:00 0
0093e000-00958000 r-xp 00000000 03:03 48262      /lib/ld-2.3.5.so
00958000-00959000 r-xp 00019000 03:03 48262      /lib/ld-2.3.5.so
00959000-0095a000 rwxp 0001a000 03:03 48262      /lib/ld-2.3.5.so
00b2f000-00c53000 r-xp 00000000 03:03 48269      /lib/libc-2.3.5.so
00c53000-00c55000 r-xp 00124000 03:03 48269      /lib/libc-2.3.5.so
00c55000-00c57000 rwxp 00126000 03:03 48269      /lib/libc-2.3.5.so
00c57000-00c59000 rwxp 00c57000 00:00 0
08048000-0804e000 r-xp 00000000 03:0c 378398     /usr/bin/who
0804e000-0804f000 rw-p 00005000 03:0c 378398     /usr/bin/who
085c2000-085e3000 rw-p 085c2000 00:00 0          [heap]
b7d2a000-b7d30000 r--s 00000000 03:0c 219342     /usr/lib/gconv/gconv-modules.cache
b7d30000-b7d6e000 r--p 00000000 03:0c 747260     /usr/share/locale/de/LC_MESSAGES/coreutils.mo
b7d6e000-b7f6e000 r--p 00000000 03:0c 344376     /usr/lib/locale/locale-archive
b7f6e000-b7f6f000 rw-p b7f6e000 00:00 0
b7f8b000-b7f8c000 rw-p b7f8b000 00:00 0
bfa77000-bfa8c000 rw-p bfa77000 00:00 0          [stack]
Abgebrochen


Version-Release number of selected component (if applicable):
coreutils-5.2.1-47

How reproducible:
Always

Steps to Reproduce:
1. LANG=de_DE.UTF-8 /usr/bin/who -Hliw
2.
3.
  

Actual Results:  see description

Expected Results:  it should work ;)

Additional info:
Comment 1 Tim Waugh 2005-05-23 12:30:25 EDT
Hmm, recompiling with -fno-inline makes the problem disappear.
Comment 2 Arjan van de Ven 2005-05-25 03:21:44 EDT
#define IDLESTR_LEN 6
...
in print_line():
  char x_idle[1 + IDLESTR_LEN + 1];
..
    sprintf (x_idle, " %-6s", idle);

where, for LANG=de_DE.UTF8, "idle" has the value 
"UNTÄTIG" which is 8 characters long (due to UTF8!) + terminating zero, and thus
overflows the x_idle buffer. 

gcc 1 - coreutils 0
Comment 5 Tim Waugh 2005-05-25 05:59:16 EDT
Fixed package is coreutils-5.2.1-48.

Note You need to log in before you can comment on or make changes to this bug.