Bug 202893 - Buffer overflow while running crm114
Buffer overflow while running crm114
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: crm114 (Show other bugs)
5
x86_64 Linux
medium Severity high
: ---
: ---
Assigned To: Dominik 'Rathann' Mierzejewski
Fedora Extras Quality Assurance
:
Depends On: 234061
Blocks: FE-ExcludeArch-x64/F-ExcludeArch-x64
  Show dependency treegraph
 
Reported: 2006-08-16 18:32 EDT by Dominik 'Rathann' Mierzejewski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 0-0.2.20070301.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-17 14:17:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominik 'Rathann' Mierzejewski 2006-08-16 18:32:05 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.6) Gecko/20060808 Fedora/1.5.0.6-2.fc5 Firefox/1.5.0.6 pango-text

Description of problem:
When compiled for x86_64, running crm114 linked against tre results in a buffer overflow.

Version-Release number of selected component (if applicable):
tre-0.7.4-4.fc5

How reproducible:
Always


Steps to Reproduce:
1. Build tre for x86_64.
2. Build crm114 against it.
3. Run ./crm ./bracktest.crm

Actual Results:
*** buffer overflow detected ***: /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm terminated

Expected Results:
The test should run an pass.

Additional info:
$ gdb ./crm
GNU gdb Red Hat Linux (6.3.0.0-1.122rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/libthread_db.so.1".

(gdb) run ./bracktest.crm
Starting program: /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm ./bracktest.crm
*** buffer overflow detected ***: /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x30253dfaef]
/lib64/libc.so.6[0x30253df0a9]
/lib64/libc.so.6(_IO_default_xsputn+0x89)[0x302536a369]
/lib64/libc.so.6(_IO_vfprintf+0x1638)[0x3025342918]
/lib64/libc.so.6(__vsprintf_chk+0x9d)[0x30253df14d]
/lib64/libc.so.6(__sprintf_chk+0x80)[0x30253df090]
/home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm[0x407a53]
/home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm[0x403054]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x302531ce54]
/home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm[0x4020a9]
======= Memory map: ========
00400000-0042f000 r-xp 00000000 08:07 13926753                           /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm114_tre
0052e000-00530000 rw-p 0002e000 08:07 13926753                           /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm114_tre
00530000-0055b000 rw-p 00530000 00:00 0                                  [heap]
3025100000-302511a000 r-xp 00000000 08:05 2405998                        /lib64/ld-2.4.so
3025219000-302521a000 r--p 00019000 08:05 2405998                        /lib64/ld-2.4.so
302521a000-302521b000 rw-p 0001a000 08:05 2405998                        /lib64/ld-2.4.so
3025300000-302543f000 r-xp 00000000 08:05 2405999                        /lib64/libc-2.4.so
302543f000-302553f000 ---p 0013f000 08:05 2405999                        /lib64/libc-2.4.so
302553f000-3025543000 r--p 0013f000 08:05 2405999                        /lib64/libc-2.4.so
3025543000-3025544000 rw-p 00143000 08:05 2405999                        /lib64/libc-2.4.so
3025544000-3025549000 rw-p 3025544000 00:00 0
3025800000-3025880000 r-xp 00000000 08:05 2406005                        /lib64/libm-2.4.so
3025880000-3025980000 ---p 00080000 08:05 2406005                        /lib64/libm-2.4.so
3025980000-3025981000 r--p 00080000 08:05 2406005                        /lib64/libm-2.4.so
3025981000-3025982000 rw-p 00081000 08:05 2406005                        /lib64/libm-2.4.so
3904f00000-3904f0d000 r-xp 00000000 08:05 2407165                        /lib64/libgcc_s-4.1.1-20060525.so.1
3904f0d000-390500d000 ---p 0000d000 08:05 2407165                        /lib64/libgcc_s-4.1.1-20060525.so.1
390500d000-390500e000 rw-p 0000d000 08:05 2407165                        /lib64/libgcc_s-4.1.1-20060525.so.1
2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0
2aaaaaac0000-2aaaaaac1000 rw-p 2aaaaaac0000 00:00 0
2aaaaaac1000-2aaaaaacf000 r-xp 00000000 08:05 1367445                    /usr/lib64/libtre.so.4.2.3
2aaaaaacf000-2aaaaabce000 ---p 0000e000 08:05 1367445                    /usr/lib64/libtre.so.4.2.3
2aaaaabce000-2aaaaabcf000 rw-p 0000d000 08:05 1367445                    /usr/lib64/libtre.so.4.2.3
2aaaaabcf000-2aaaadd10000 rw-p 2aaaaabcf000 00:00 0
7fffcdba6000-7fffcdbbb000 rw-p 7fffcdba6000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]

Program received signal SIGABRT, Aborted.
0x000000302532f4f5 in *__GI_raise (sig=Variable "sig" is not available.
) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) bt
#0  0x000000302532f4f5 in *__GI_raise (sig=Variable "sig" is not available.
) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003025330e40 in *__GI_abort () at abort.c:88
#2  0x0000003025366a6b in __libc_message (do_abort=2,
    fmt=0x30254185e8 "*** buffer overflow detected ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00000030253dfaef in *__GI___chk_fail () at chk_fail.c:31
#4  0x00000030253df0a9 in _IO_str_chk_overflow (fp=Variable "fp" is not available.
) at vsprintf_chk.c:35
#5  0x000000302536a369 in _IO_default_xsputn (f=0x7fffcdbb9260, data=Variable "data" is not available.
) at genops.c:480
#6  0x0000003025342918 in _IO_vfprintf_internal (s=0x7fffcdbb9260, format=Variable "format" is not available.
) at vfprintf.c:1558
#7  0x00000030253df14d in ___vsprintf_chk (s=0x7fffcdbb9e50 "5AB77B4BEA32C5F", flags=1, slen=16,
    format=0x4252cc "%08lX", args=0x7fffcdbb9390) at vsprintf_chk.c:87
#8  0x00000030253df090 in ___sprintf_chk (s=Variable "s" is not available.
) at sprintf_chk.c:33
#9  0x0000000000407a53 in crm_preprocessor (csl=0x53a010, flags=Variable "flags" is not available.
) at crm_preprocessor.c:315
#10 0x0000000000403054 in main (argc=2, argv=0x7fffcdbb9ff8) at crm_main.c:615
Comment 1 W. S. Yerazunis 2006-09-02 20:01:52 EDT
In the source, this corresponds to a call in CRM114 (not TRE) to sprintf 
that *should* have adequate space (an 8-character format, fixed data, into 
a 16-character buffer.  It works fine on 32-bit GCC.

We'll test this with a much-enlarged buffer and see if this a 64-bit bug
or what.
  
Note: I personally don't have a 64-bit machine, so the original reporter
(Dominik) needs to do the testing on this.

    - Bill Yerazunis ( CRM114 Team)
Comment 2 Dominik 'Rathann' Mierzejewski 2006-09-02 21:09:02 EDT
Yes, looks like I misread the crash dump. Reassigning to crm114 component (which
I'm the maintainer of, too).
Comment 3 Dominik 'Rathann' Mierzejewski 2006-09-02 21:11:41 EDT
Enlarging the buffer by a factor of two eliminates the crash, but make megatest
shows some unexpected differences, investigating...
Comment 4 Dominik 'Rathann' Mierzejewski 2007-04-17 14:17:38 EDT
Finally fixed.

Note You need to log in before you can comment on or make changes to this bug.