Bug 160284 - buffer overflows in sfdisk
buffer overflows in sfdisk
Status: CLOSED DUPLICATE of bug 159418
Product: Fedora
Classification: Fedora
Component: util-linux (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-14 00:17 EDT by Alexandre Oliva
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-15 06:54:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sfdisk dump/input file (575 bytes, text/plain)
2005-06-14 00:17 EDT, Alexandre Oliva
no flags Details

  None (edit)
Description Alexandre Oliva 2005-06-14 00:17:17 EDT
Description of problem:
The attached file will cause sfdisk to trigger the buffer overflow detection
with the following two command lines:

% sfdisk /tmp/hda.sfdisk  # oops, typo, missing a `<', but it exposed a bug
Warning: /tmp/hda.sfdisk is not a block device
Disk /tmp/hda.sfdisk: cannot get geometry

Disk /tmp/hda.sfdisk: 0 cylinders, 0 heads, 0 sectors/track

sfdisk: ERROR: sector 0 does not have an msdos signature
 /tmp/hda.sfdisk: unrecognized partition table type
Old situation:
No partitions found
Input in the following format; absent fields get a default value.
<start> <size> <type [E,S,L,X,hex]> <bootable [-,*]> <c,h,s> <c,h,s>
Usually you only need to specify <start> and <size> (and perhaps <type>).

/tmp/hda.sfdisk1 :*** buffer overflow detected ***: sfdisk terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x79a565]
sfdisk[0x804c563]
sfdisk[0x804d805]
sfdisk[0x804eaba]
/lib/libc.so.6(__libc_start_main+0xc6)[0x6d0de6]
sfdisk[0x8048dc1]
======= Memory map: ========
00644000-00645000 r-xp 00644000 00:00 0
0069a000-006b4000 r-xp 00000000 fd:02 1246256    /lib/ld-2.3.5.so
006b4000-006b5000 r-xp 00019000 fd:02 1246256    /lib/ld-2.3.5.so
006b5000-006b6000 rwxp 0001a000 fd:02 1246256    /lib/ld-2.3.5.so
006bc000-007e0000 r-xp 00000000 fd:02 1246465    /lib/libc-2.3.5.so
007e0000-007e2000 r-xp 00124000 fd:02 1246465    /lib/libc-2.3.5.so
007e2000-007e4000 rwxp 00126000 fd:02 1246465    /lib/libc-2.3.5.so
007e4000-007e6000 rwxp 007e4000 00:00 0
00a26000-00a2f000 r-xp 00000000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
00a2f000-00a30000 rwxp 00009000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
08048000-08053000 r-xp 00000000 fd:02 2097157    /sbin/sfdisk
08053000-08054000 rw-p 0000b000 fd:02 2097157    /sbin/sfdisk
08054000-0805e000 rw-p 08054000 00:00 0
09eb5000-09ed6000 rw-p 09eb5000 00:00 0          [heap]
b7d71000-b7d77000 r--s 00000000 fd:02 2031921    /usr/lib/gconv/gconv-modules.cache
b7d77000-b7d78000 rw-p b7d77000 00:00 0
b7d78000-b7f78000 r--p 00000000 fd:02 1969129    /usr/lib/locale/locale-archive
b7f78000-b7f7a000 rw-p b7f78000 00:00 0
bfe87000-bfe9d000 rw-p bfe87000 00:00 0          [stack]
Aborted


% sfdisk /dev/hda < /tmp/hda.sfdisk  # this is right, but it also exposes a bug

Disk /dev/hda: 116280 cylinders, 16 heads, 63 sectors/track
Warning: extended partition does not start at a cylinder boundary.
DOS and Linux will interpret the contents differently.
Old situation:
Warning: The partition table looks like it was made
  for C/H/S=*/255/63 (instead of 116280/16/63).
For this listing I'll assume that geometry.
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/hda1          0+     61      62-    497983+  84  OS/2 hidden C: drive
/dev/hda2         68     828     761    6112732+   b  W95 FAT32
/dev/hda3   *    829    1009     181    1453882+   6  FAT16
/dev/hda4       1010    7295    6286   50492295    f  W95 Ext'd (LBA)
/dev/hda5   *   1010+   1022      13-    104391   83  Linux
/dev/hda6       1023+   1035      13-    104391   83  Linux
/dev/hda7       1036+   1097      62-    497983+  82  Linux swap / Solaris
/dev/hda8       1098+   3163    2066-  16595113+  8e  Linux LVM
/dev/hda9       3164+   5229    2066-  16595113+  8e  Linux LVM
/dev/hda10      5230+   7295    2066-  16595113+  8e  Linux LVM
*** buffer overflow detected ***: sfdisk terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x79a565]
sfdisk[0x804c563]
sfdisk[0x804d805]
sfdisk[0x804eaba]
/lib/libc.so.6(__libc_start_main+0xc6)[0x6d0de6]
sfdisk[0x8048dc1]
======= Memory map: ========
0069a000-006b4000 r-xp 00000000 fd:02 1246256    /lib/ld-2.3.5.so
006b4000-006b5000 r-xp 00019000 fd:02 1246256    /lib/ld-2.3.5.so
006b5000-006b6000 rwxp 0001a000 fd:02 1246256    /lib/ld-2.3.5.so
006bc000-007e0000 r-xp 00000000 fd:02 1246465    /lib/libc-2.3.5.so
007e0000-007e2000 r-xp 00124000 fd:02 1246465    /lib/libc-2.3.5.so
007e2000-007e4000 rwxp 00126000 fd:02 1246465    /lib/libc-2.3.5.so
007e4000-007e6000 rwxp 007e4000 00:00 0
00a26000-00a2f000 r-xp 00000000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
00a2f000-00a30000 rwxp 00009000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
00b12000-00b13000 r-xp 00b12000 00:00 0
08048000-08053000 r-xp 00000000 fd:02 2097157    /sbin/sfdisk
08053000-08054000 rw-p 0000b000 fd:02 2097157    /sbin/sfdisk
08054000-0805e000 rw-p 08054000 00:00 0
09d33000-09d54000 rw-p 09d33000 00:00 0          [heap]
b7d00000-b7d06000 r--s 00000000 fd:02 2031921    /usr/lib/gconv/gconv-modules.cache
b7d06000-b7d07000 rw-p b7d06000 00:00 0
b7d07000-b7f07000 r--p 00000000 fd:02 1969129    /usr/lib/locale/locale-archive
b7f07000-b7f09000 rw-p b7f07000 00:00 0
bfb17000-bfb2c000 rw-p bfb17000 00:00 0          [stack]
Aborted



Version-Release number of selected component (if applicable):
util-linux-2.12p-9.3


How reproducible:
Every time
Comment 1 Alexandre Oliva 2005-06-14 00:17:17 EDT
Created attachment 115386 [details]
sfdisk dump/input file
Comment 2 Karel Zak 2005-06-15 06:54:43 EDT

*** This bug has been marked as a duplicate of 159418 ***

Note You need to log in before you can comment on or make changes to this bug.