Bug 173050 - strace buffer overflow on select
strace buffer overflow on select
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: strace (Show other bugs)
4
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Roland McGrath
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-12 23:16 EST by Dan Hollis
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 4.5.15-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-16 22:07:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dan Hollis 2005-11-12 23:16:04 EST
Description of problem:
strace crashes when tracing select()

Version-Release number of selected component (if applicable):
strace 4.5.11-1

How reproducible:
always

Steps to Reproduce:
1.strace -p (pid of 32bit application)
2.
3.
  
Actual results:
strace -p 15313
Process 15313 attached - interrupt to quit
[ Process PID=15313 runs in 32 bit mode. ]
select(22, [0 21], NULL, NULL, {115964116992000, 2097153}*** buffer overflow
detected ***: strace terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x3d856dcb6f]
/lib64/libc.so.6[0x3d856dc149]
/lib64/libc.so.6(_IO_default_xsputn+0x86)[0x3d85667b26]
/lib64/libc.so.6(_IO_vfprintf+0xf47)[0x3d85641be7]
/lib64/libc.so.6(__vsprintf_chk+0xa9)[0x3d856dc1f9]
/lib64/libc.so.6(__sprintf_chk+0x80)[0x3d856dc130]
strace[0x408012]
strace[0x405378]
strace[0x4041d0]
/lib64/libc.so.6(__libc_start_main+0xef)[0x3d8561c3cf]
strace[0x401eea]
======= Memory map: ========
00400000-0043e000 r-xp 00000000 09:00 114183                            
/usr/bin/strace
0053e000-0053f000 rw-p 0003e000 09:00 114183                            
/usr/bin/strace
0053f000-00547000 rw-p 0053f000 00:00 0 
0063e000-0063f000 rw-p 0003e000 09:00 114183                            
/usr/bin/strace
0063f000-00660000 rw-p 0063f000 00:00 0                                  [heap]
3d85400000-3d8541a000 r-xp 00000000 09:00 110204                        
/lib64/ld-2.3.5.so
3d85519000-3d8551a000 r--p 00019000 09:00 110204                        
/lib64/ld-2.3.5.so
3d8551a000-3d8551b000 rw-p 0001a000 09:00 110204                        
/lib64/ld-2.3.5.so
3d85600000-3d8572d000 r-xp 00000000 09:00 489661                        
/lib64/libc-2.3.5.so
3d8572d000-3d8582c000 ---p 0012d000 09:00 489661                        
/lib64/libc-2.3.5.so
3d8582c000-3d85830000 r--p 0012c000 09:00 489661                        
/lib64/libc-2.3.5.so
3d85830000-3d85832000 rw-p 00130000 09:00 489661                        
/lib64/libc-2.3.5.so
3d85832000-3d85836000 rw-p 3d85832000 00:00 0 
3d87b00000-3d87b0d000 r-xp 00000000 09:00 114442                        
/lib64/libgcc_s-4.0.1-20050727.so.1
3d87b0d000-3d87c0c000 ---p 0000d000 09:00 114442                        
/lib64/libgcc_s-4.0.1-20050727.so.1
3d87c0c000-3d87c0d000 rw-p 0000c000 09:00 114442                        
/lib64/libgcc_s-4.0.1-20050727.so.1
2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0 
2aaaaaadb000-2aaaaaadd000 rw-p 2aaaaaadb000 00:00 0 
7fffffb46000-7fffffb5c000 rw-p 7fffffb46000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]
Aborted

Expected results:
should not crash

Additional info:
Comment 1 Dmitry V. Levin 2005-11-14 17:42:36 EST
Tracing of 32-bit processes on 64-bit system is not implemented wrt decoding of
data structures with arch-dependent members.
For example, all syscalls which operate with "struct timeval" will be decoded
incorrectly; select() is just an illustration for the larger problem.

Roland, are we going to deal with this (large) issue somehow?
Comment 2 Dan Hollis 2005-11-14 18:06:38 EST
should a 32bit strace be able to trace 32bit processes on a 64bit system under
32bit emulation mode?

if so, the "obvious" solution would be to provide both 32bit and 64bit strace
binaries, and have 64bit strace refuse to trace 32bit processes (and vice versa).
Comment 3 Dmitry V. Levin 2005-11-14 18:21:50 EST
Yes, 32bit strace is able to trace 32bit processes on a 64bit system under 32bit
emulation mode.

This "obvious" solution will "fix" the bug you reported.

Unfortunately, there are rare cases when this solution won't help:
processes like setarch(8) which call personality(2).

Imagine e.g. "strace setarch i386 select32" where select32 is arbitrary 32bit
executable which calls select(2).
Comment 4 Dan Hollis 2005-11-14 18:39:52 EST
well its completely broken right now :P

seems to me there should be an interim solution provided (however flawed it
might be). provide 32bit strace on FC4/5 until a "proper" fix can be made?
Comment 5 Dmitry V. Levin 2006-12-13 16:37:05 EST
Added upstream biarch support for timeval and timespec structs,
should fix select decoding.
Comment 6 Roland McGrath 2007-01-11 06:15:26 EST
these bugs are fixed upstream in the coming 4.5.15 release
Comment 7 Roland McGrath 2007-01-16 22:07:34 EST
4.5.15 in rawhide and in updates for fc5 and fc6 fixes this.

Note You need to log in before you can comment on or make changes to this bug.