Bug 173050 - strace buffer overflow on select
Summary: strace buffer overflow on select
Alias: None
Product: Fedora
Classification: Fedora
Component: strace (Show other bugs)
(Show other bugs)
Version: 4
Hardware: x86_64 Linux
Target Milestone: ---
Assignee: Roland McGrath
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-11-13 04:16 UTC by Dan Hollis
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 4.5.15-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-17 03:07:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Dan Hollis 2005-11-13 04:16:04 UTC
Description of problem:
strace crashes when tracing select()

Version-Release number of selected component (if applicable):
strace 4.5.11-1

How reproducible:

Steps to Reproduce:
1.strace -p (pid of 32bit application)
Actual results:
strace -p 15313
Process 15313 attached - interrupt to quit
[ Process PID=15313 runs in 32 bit mode. ]
select(22, [0 21], NULL, NULL, {115964116992000, 2097153}*** buffer overflow
detected ***: strace terminated
======= Backtrace: =========
======= Memory map: ========
00400000-0043e000 r-xp 00000000 09:00 114183                            
0053e000-0053f000 rw-p 0003e000 09:00 114183                            
0053f000-00547000 rw-p 0053f000 00:00 0 
0063e000-0063f000 rw-p 0003e000 09:00 114183                            
0063f000-00660000 rw-p 0063f000 00:00 0                                  [heap]
3d85400000-3d8541a000 r-xp 00000000 09:00 110204                        
3d85519000-3d8551a000 r--p 00019000 09:00 110204                        
3d8551a000-3d8551b000 rw-p 0001a000 09:00 110204                        
3d85600000-3d8572d000 r-xp 00000000 09:00 489661                        
3d8572d000-3d8582c000 ---p 0012d000 09:00 489661                        
3d8582c000-3d85830000 r--p 0012c000 09:00 489661                        
3d85830000-3d85832000 rw-p 00130000 09:00 489661                        
3d85832000-3d85836000 rw-p 3d85832000 00:00 0 
3d87b00000-3d87b0d000 r-xp 00000000 09:00 114442                        
3d87b0d000-3d87c0c000 ---p 0000d000 09:00 114442                        
3d87c0c000-3d87c0d000 rw-p 0000c000 09:00 114442                        
2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaadb000-2aaaaaadd000 rw-p 2aaaaaadb000 00:00 0 
7fffffb46000-7fffffb5c000 rw-p 7fffffb46000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]

Expected results:
should not crash

Additional info:

Comment 1 Dmitry V. Levin 2005-11-14 22:42:36 UTC
Tracing of 32-bit processes on 64-bit system is not implemented wrt decoding of
data structures with arch-dependent members.
For example, all syscalls which operate with "struct timeval" will be decoded
incorrectly; select() is just an illustration for the larger problem.

Roland, are we going to deal with this (large) issue somehow?

Comment 2 Dan Hollis 2005-11-14 23:06:38 UTC
should a 32bit strace be able to trace 32bit processes on a 64bit system under
32bit emulation mode?

if so, the "obvious" solution would be to provide both 32bit and 64bit strace
binaries, and have 64bit strace refuse to trace 32bit processes (and vice versa).

Comment 3 Dmitry V. Levin 2005-11-14 23:21:50 UTC
Yes, 32bit strace is able to trace 32bit processes on a 64bit system under 32bit
emulation mode.

This "obvious" solution will "fix" the bug you reported.

Unfortunately, there are rare cases when this solution won't help:
processes like setarch(8) which call personality(2).

Imagine e.g. "strace setarch i386 select32" where select32 is arbitrary 32bit
executable which calls select(2).

Comment 4 Dan Hollis 2005-11-14 23:39:52 UTC
well its completely broken right now :P

seems to me there should be an interim solution provided (however flawed it
might be). provide 32bit strace on FC4/5 until a "proper" fix can be made?

Comment 5 Dmitry V. Levin 2006-12-13 21:37:05 UTC
Added upstream biarch support for timeval and timespec structs,
should fix select decoding.

Comment 6 Roland McGrath 2007-01-11 11:15:26 UTC
these bugs are fixed upstream in the coming 4.5.15 release

Comment 7 Roland McGrath 2007-01-17 03:07:34 UTC
4.5.15 in rawhide and in updates for fc5 and fc6 fixes this.

Note You need to log in before you can comment on or make changes to this bug.