Bug 166040 - SIGSEGV in fillpacks() of cdrecord
SIGSEGV in fillpacks() of cdrecord
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: cdrtools (Show other bugs)
4
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Harald Hoyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-16 00:41 EDT by Frederick Dean
Modified: 2008-02-28 14:05 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-28 14:05:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frederick Dean 2005-08-16 00:41:19 EDT
cdrecord-2.01.1-9 
kernel-2.6.12-1.1387_FC4

I ripped Bernstein's Peter and the Wolf with cdda2wav using the 
recommended command in the cdrecord manual page.  
When I try to burn the disc using the man page 
record command "cdrecord -v -dao -useinfo -text *.wav"
the program seg faults before the recording starts.

Just before this, I ripped the disc with grip & cdparanoia (no *.inf
files) and was able to burn just fine using the same command.

[guest2@winch ~]$ dmesg|grep hdc
    ide1: BM-DMA at 0xffa8-0xffaf, BIOS settings: hdc:DMA, hdd:pio
hdc: PLEXTOR DVDR PX-708A, ATAPI CD/DVD-ROM drive
hdc: ATAPI 63X DVD-ROM DVD-R CD-R/RW drive, 2048kB Cache, UDMA(33)

I rebuilt the program from SRPM to get debugging information.
gdb reported a backtrace...

[root@winch cdda]# gdb
/usr/src/redhat/BUILD/cdrtools-2.01/cdrecord/OBJ/i686-linux-cc/cdrecord
GNU gdb Red Hat Linux (6.3.0.0-1.21rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) run -v -dao -useinfo -text *.wav
Starting program:
/usr/src/redhat/BUILD/cdrtools-2.01/cdrecord/OBJ/i686-linux-cc/cdrecord -v -dao
-useinfo -text *.wav
Reading symbols from shared object read from target memory...done.
Loaded system supplied DSO at 0x159000
Cdrecord-Clone 2.01-dvd (i686-pc-linux-gnu) Copyright (C) 1995-2004 Jörg Schilling
Note: This version is an unofficial (modified) version with DVD support
Note: and therefore may have bugs that are not present in the original.
Note: Please send bug reports or support requests to
http://bugzilla.redhat.com/bugzilla
Note: The author of cdrecord should not be bothered with problems in this version.
TOC Type: 0 = CD-DA
scsidev: '/dev/cdrom'
devname: '/dev/cdrom'
scsibus: -2 target: -2 lun: -2
Linux sg driver version: 3.5.27
Using libscg version 'schily-0.8'.
/usr/src/redhat/BUILD/cdrtools-2.01/cdrecord/OBJ/i686-linux-cc/cdrecord:
Warning: using inofficial libscg transport code version (schily - Red
Hat-scsi-linux-sg.c-1.83-RH '@(#)scsi-linux-sg.c 1.83 04/05/20 Copyright 1997 J.
Schilling').
Driveropts: 'burnfree'
SCSI buffer size: 64512
atapi: 1
Device type    : Removable CD-ROM
Version        : 0
Response Format: 1
Vendor_info    : 'PLEXTOR '
Identifikation : 'DVDR   PX-708A  '
Revision       : '1.06'
Device seems to be: Generic mmc2 DVD-R/DVD-RW.
Current: 0x0009
Profile: 0x001B 
Profile: 0x001A 
Profile: 0x0014 
Profile: 0x0013 
Profile: 0x0011 
Profile: 0x0010 
Profile: 0x000A 
Profile: 0x0009 (current)
Profile: 0x0008 
Using generic SCSI-3/mmc   CD-R/CD-RW driver (mmc_cdr).
Driver flags   : MMC-3 SWABAUDIO BURNFREE VARIREC FORCESPEED SINGLESESSION HIDECDR 
Supported modes: TAO PACKET SAO SAO/R96P SAO/R96R RAW/R16 RAW/R96P RAW/R96R
Drive buf size : 1190112 = 1162 KB
Drive DMA Speed: 29190 kB/s 165x CD 21x DVD
FIFO size      : 4194304 = 4096 KB
pregap1: -1

Program received signal SIGSEGV, Segmentation fault.
0x0805a4b0 in fillpacks (ap=0xbfa0f93c, from=0x9e9efae "ten", len=15,
track_no=3, pack_type=129) at cdtext.c:430
430                ap->tsize->pack_count[pack_type & 0x0F]++;
(gdb) bt
#0  0x0805a4b0 in fillpacks (ap=0xbfa0f93c, from=0x9e9efae "ten", len=15,
track_no=3, pack_type=129) at cdtext.c:430
#1  0x0805a669 in packtext (tracks=35, trackp=0xbfa0fb04) at cdtext.c:347
#2  0x08050595 in main (ac=40, av=0xbfa121a4) at cdrecord.c:808
(gdb) print *ap
$1 = {tp = 0xbfe207be, p = 0x0, tsize = 0x74697242, seqno = 7234932}
(gdb) print *ap->tsize
Cannot access memory at address 0x74697242
(gdb) info locals
charpos = 30
p = Variable "p" is not available.
(gdb) up
#1  0x0805a669 in packtext (tracks=35, trackp=0xbfa0fb04) at cdtext.c:347
347                                     fillpacks(&targ, s, strlen(s)+1, i,
0x80| type);
(gdb) info locals
maxtrk = 35
s = Variable "s" is not available.
(gdb) up
#2  0x08050595 in main (ac=40, av=0xbfa121a4) at cdrecord.c:808
808                     packtext(tracks, track);
(gdb) info locals
max_dma = Variable "max_dma" is not available.

Using strace on the cdrecord session ends with this...
_llseek(5, 0, [0], SEEK_SET)            = 0
read(5, "#created by cdda2wav 2.01_linux_"..., 4096) = 695
read(5, "", 4096)                       = 0
_llseek(5, 0, [0], SEEK_SET)            = 0
read(5, "#created by cdda2wav 2.01_linux_"..., 4096) = 695
read(5, "", 4096)                       = 0
_llseek(5, 0, [0], SEEK_SET)            = 0
read(5, "#created by cdda2wav 2.01_linux_"..., 4096) = 695
_llseek(5, 695, [695], SEEK_SET)        = 0
_llseek(5, 695, [695], SEEK_SET)        = 0
_llseek(5, 695, [695], SEEK_SET)        = 0
_llseek(5, 695, [695], SEEK_SET)        = 0
_llseek(5, 695, [695], SEEK_SET)        = 0
_llseek(5, 695, [695], SEEK_SET)        = 0
_llseek(5, 695, [695], SEEK_SET)        = 0
_llseek(5, 695, [695], SEEK_SET)        = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, {2, 0})               = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

Selectively removing args from the command line shows that
both -useinfo and -text are required for the segfault.
The problem repeats every time, and looks the same.

All of the *.inf files look well formed and I can provide
them if requested.

Deleting all the *.inf files avoids the segfault.  Deleting
the audio.cddb and audio.cdindex does not avoid the segfault.
Selectively deleting audio_??.inf files shows that it does not
matter much which are present.  More than 25 causes the 
segfault.  (My disc has 35 titles)  Here is an example...

[guest2@winch cdrecord]$ cat ~/cdda/audio_05.inf 
#created by cdda2wav 2.01_linux_2.6.9-1.906_elsmp_i686_i686 08/15/05 22:07:07
#
CDINDEX_DISCID= 'WbcusUp9Bns9KBXqGwhaorCqlCo-'
CDDB_DISCID=    0x4e11b723
MCN=
ISRC=                          
#
Albumperformer= 'Prokofeiv + Saint-Saens + Britten'
Performer=      'Prokofeiv + Saint-Saens + Britten'
Albumtitle=     'Bernstein Century Children's Classics'
Tracktitle=     'Camille Saint-Saens / Le Carnaval des Animaux - 4 - Tortues'
Tracknumber=    5
Trackstart=     147232
# track length in sectors (1/75 seconds each), rest samples
Tracklength=    10060, 0
Pre-emphasis=   no
Channels=       2
Copy_permitted= once (copyright protected)
Endianess=      little
# index list
Index=          0 
Index0=         -1 

The disc is very good.  I recommend it.  My kids agree.
Comment 1 Harald Hoyer 2005-08-25 06:47:58 EDT
> More than 25 causes the segfault...

And it's not that the 26nd .inf file is in some way corrupted?
Comment 2 Frederick Dean 2005-08-25 11:54:02 EDT
(In reply to comment #1)
> > More than 25 causes the segfault...
> 
> And it's not that the 26nd .inf file is in some way corrupted?

Nope. All the .inf are pretty similar, and it does not mattch
which one is added as the 26th.  I suspect it has to do with
the long Albumtitle or Tracktitile.  Actually, as I look again
four of them have a Tracktitle that is like 140 characters long.
Unfortunately, I can still make it crash by choosing from the
other audio_xx.inf, but it takes 27 files that way.

In my testing just now, I did have one crash which printed this
line just before the crash...  (it is totally reproduceable but only
for this specific collection of .inf files)

cdrecord: Cannot allocate memory. Cannot malloc CD-Text write buffer.

So this begs the question, if I use fewer .inf files so it does not
crash, and then I alter one of the .inf files to have a really 
long Tracktitle, can I make it crash?  The answer is yes. 

I suspect this bug is a security hole.
Comment 3 Harald Hoyer 2005-08-26 03:01:29 EDT
A security hole for those, who set cdrecord suid... yes.
Comment 4 Harald Hoyer 2005-08-26 03:04:43 EDT
If you like, you could use Jörg Schillings original cdrecord or cdrecord-pro and
notify him , if that segfaults also. RedHat modified his software and he might
not listen to us, as he only cares about his original version.
Comment 5 Frederick Dean 2005-08-26 10:42:39 EDT
I will work on comment 4.
Comment 6 Christian Iseli 2007-01-19 19:30:40 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 7 petrosyan 2008-02-28 14:05:00 EST
Fedora Core 4 is no longer maintained.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release, please reopen this bug and assign it to the
corresponding Fedora version.

Note You need to log in before you can comment on or make changes to this bug.