Bug 200623 - attr -l SEGV's when there is an xattr
Summary: attr -l SEGV's when there is an xattr
Keywords:
Status: CLOSED DUPLICATE of bug 189106
Alias: None
Product: Fedora
Classification: Fedora
Component: attr
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Prikryl
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-07-29 05:05 UTC by James Antill
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-07-25 11:48:48 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
attr -l works fine with the patch (1.78 KB, patch)
2007-02-19 16:33 UTC, Sergey Satskiy
no flags Details | Diff

Description James Antill 2006-07-29 05:05:31 UTC
Description of problem:
 attr -l SEGV's, it calls attr_list which is a compat. call inside
libattr/libattr.c ... that calls attr_list_pack() which contains this gem in the
first three lines:

        attrlist_ent_t *aentp;
        attrlist_t *alist = (attrlist_t *)buffer;
        int size = roundup(strlen(name) + 1 + sizeof(aentp->a_valuelen), 8);

...note aentp is not initialized, and is then defreerenced for aentp->a_valuelen .

 For bonus points, attrlist_ent_t is defined as:

typedef struct attrlist_ent {   /* data from attr_list() */
        u_int32_t       a_valuelen;     /* number bytes in value of attr */
        char            a_name[1];      /* attr name (NULL terminated) */
} attrlist_ent_t;

...so we're taking strlen() of an unsigned int!

probably due to buffer being NULL.

Version-Release number of selected component (if applicable):
attr(0:2.4.28-1.2).i386

How reproducible:
Always

Comment 1 Sergey Satskiy 2007-02-19 16:33:48 UTC
Created attachment 148328 [details]
attr -l works fine with the patch

The attr_list(...) and attr_listf(...) functions in the libattr.so used the
attributes' names list length improper. The length was used as a stop condition
for a loop through all the attributes but was overwritten with the length of
the individual attribute inside the cycle. That led to moving a pointer outside
the allocated buffer and further to the SEGV.

Comment 2 Zdenek Prikryl 2007-07-25 11:48:48 UTC

*** This bug has been marked as a duplicate of 189106 ***


Note You need to log in before you can comment on or make changes to this bug.