Bug 189666 - cscope stack smashing
Summary: cscope stack smashing
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: cscope
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Neil Horman
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: CVE-2009-1577
TreeView+ depends on / blocked
 
Reported: 2006-04-22 12:23 UTC by Ronald Wahl
Modified: 2009-05-05 14:18 UTC (History)
0 users

Fixed In Version: cscope-15.5-13.7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-03-11 17:04:20 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
patch to limit how much data putstring copies to the target pointer (7.04 KB, patch)
2006-05-05 15:27 UTC, Neil Horman
no flags Details | Diff
updated patch to fix header breakage (7.44 KB, patch)
2006-06-23 19:55 UTC, Neil Horman
no flags Details | Diff

Description Ronald Wahl 2006-04-22 12:23:50 UTC
Description of problem:

cscope's "Find all function definitions" results in "stack smashing" on a
valgrind source repository.

Version-Release number of selected component (if applicable):

15.5-13.3

How reproducible:

Always

Steps to Reproduce:
1. Get valgrind (3.1.1 in my case). Extract it. Change into its base directory.
2. Call "cscope -R"
3. Enter an arbitrary char at the "Find all function definitions" and press enter.
  
Actual results:

cscope reports a "** stack smashing detected ***"

Expected results:

cscope should return all (matching?) function definitions

Additional info:

1. Increasing PATLEN in constants.h to exactly 308 will make the stack smashing
message go away but the output of cscope has a strange formating. Increasing the
buffer futher will result in correct formating.

2. The overflow fix in cscope-15.5-13.3 seems not related to this.

3. A not very useful coredump:

#0  0x00417402 in __kernel_vsyscall ()
(gdb) bt
#0  0x00417402 in __kernel_vsyscall ()
#1  0x00ccd159 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00cce6e3 in *__GI_abort () at abort.c:88
#3  0x00d01a1b in __libc_message (do_abort=1, 
    fmt=0xdbf478 "*** stack smashing detected ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00d81e45 in __stack_chk_fail () at stack_chk_fail.c:31
#5  0x080567d5 in findallfcns (dummy=Could not find the frame base for
"findallfcns".
) at find.c:451
#6  0x31303938 in ?? ()
#7  0x35343332 in ?? ()
#8  0x39383736 in ?? ()
#9  0x33323130 in ?? ()
#10 0x37363534 in ?? ()
#11 0x31303938 in ?? ()
#12 0x35343332 in ?? ()
#13 0x39383736 in ?? ()
#14 0x33323130 in ?? ()
#15 0x37363534 in ?? ()
#16 0x00003938 in ?? ()
#17 0x00000001 in ?? ()
#18 0x10000000 in ?? ()
#19 0x08048f2e in ?? ()
#20 0x00000002 in ?? ()
#21 0x00000000 in ?? ()

Comment 1 Neil Horman 2006-05-05 15:27:19 UTC
Created attachment 128661 [details]
patch to limit how much data putstring copies to the target pointer

This should fix the problem.  Please test and report results.  Thanks!

Comment 2 Ronald Wahl 2006-05-05 22:07:08 UTC
If you fix the putstring prototype in src/global.h too then it works, otherwise
it will not compile. The stack smashing went away. Thanks!

Comment 3 Neil Horman 2006-06-23 19:55:44 UTC
Created attachment 131459 [details]
updated patch to fix header breakage

Comment 4 Fedora Update System 2006-06-23 21:19:56 UTC
cscope-15.5-13.7 has been pushed for fc5, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Comment 5 Ronald Wahl 2007-03-03 22:00:20 UTC
I think this issue can be set to fixed. I cannot reproduce it anymore.


Note You need to log in before you can comment on or make changes to this bug.