From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.6) Gecko/20060808 Fedora/1.5.0.6-2.fc5 Firefox/1.5.0.6 pango-text Description of problem: When compiled for x86_64, running crm114 linked against tre results in a buffer overflow. Version-Release number of selected component (if applicable): tre-0.7.4-4.fc5 How reproducible: Always Steps to Reproduce: 1. Build tre for x86_64. 2. Build crm114 against it. 3. Run ./crm ./bracktest.crm Actual Results: *** buffer overflow detected ***: /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm terminated Expected Results: The test should run an pass. Additional info: $ gdb ./crm GNU gdb Red Hat Linux (6.3.0.0-1.122rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"...Using host libthread_db library "/lib64/libthread_db.so.1". (gdb) run ./bracktest.crm Starting program: /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm ./bracktest.crm *** buffer overflow detected ***: /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm terminated ======= Backtrace: ========= /lib64/libc.so.6(__chk_fail+0x2f)[0x30253dfaef] /lib64/libc.so.6[0x30253df0a9] /lib64/libc.so.6(_IO_default_xsputn+0x89)[0x302536a369] /lib64/libc.so.6(_IO_vfprintf+0x1638)[0x3025342918] /lib64/libc.so.6(__vsprintf_chk+0x9d)[0x30253df14d] /lib64/libc.so.6(__sprintf_chk+0x80)[0x30253df090] /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm[0x407a53] /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm[0x403054] /lib64/libc.so.6(__libc_start_main+0xf4)[0x302531ce54] /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm[0x4020a9] ======= Memory map: ======== 00400000-0042f000 r-xp 00000000 08:07 13926753 /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm114_tre 0052e000-00530000 rw-p 0002e000 08:07 13926753 /home/dominik/build/BUILD/crm114-20060704a-BlameRobert.src/crm114_tre 00530000-0055b000 rw-p 00530000 00:00 0 [heap] 3025100000-302511a000 r-xp 00000000 08:05 2405998 /lib64/ld-2.4.so 3025219000-302521a000 r--p 00019000 08:05 2405998 /lib64/ld-2.4.so 302521a000-302521b000 rw-p 0001a000 08:05 2405998 /lib64/ld-2.4.so 3025300000-302543f000 r-xp 00000000 08:05 2405999 /lib64/libc-2.4.so 302543f000-302553f000 ---p 0013f000 08:05 2405999 /lib64/libc-2.4.so 302553f000-3025543000 r--p 0013f000 08:05 2405999 /lib64/libc-2.4.so 3025543000-3025544000 rw-p 00143000 08:05 2405999 /lib64/libc-2.4.so 3025544000-3025549000 rw-p 3025544000 00:00 0 3025800000-3025880000 r-xp 00000000 08:05 2406005 /lib64/libm-2.4.so 3025880000-3025980000 ---p 00080000 08:05 2406005 /lib64/libm-2.4.so 3025980000-3025981000 r--p 00080000 08:05 2406005 /lib64/libm-2.4.so 3025981000-3025982000 rw-p 00081000 08:05 2406005 /lib64/libm-2.4.so 3904f00000-3904f0d000 r-xp 00000000 08:05 2407165 /lib64/libgcc_s-4.1.1-20060525.so.1 3904f0d000-390500d000 ---p 0000d000 08:05 2407165 /lib64/libgcc_s-4.1.1-20060525.so.1 390500d000-390500e000 rw-p 0000d000 08:05 2407165 /lib64/libgcc_s-4.1.1-20060525.so.1 2aaaaaaab000-2aaaaaaac000 rw-p 2aaaaaaab000 00:00 0 2aaaaaac0000-2aaaaaac1000 rw-p 2aaaaaac0000 00:00 0 2aaaaaac1000-2aaaaaacf000 r-xp 00000000 08:05 1367445 /usr/lib64/libtre.so.4.2.3 2aaaaaacf000-2aaaaabce000 ---p 0000e000 08:05 1367445 /usr/lib64/libtre.so.4.2.3 2aaaaabce000-2aaaaabcf000 rw-p 0000d000 08:05 1367445 /usr/lib64/libtre.so.4.2.3 2aaaaabcf000-2aaaadd10000 rw-p 2aaaaabcf000 00:00 0 7fffcdba6000-7fffcdbbb000 rw-p 7fffcdba6000 00:00 0 [stack] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vdso] Program received signal SIGABRT, Aborted. 0x000000302532f4f5 in *__GI_raise (sig=Variable "sig" is not available. ) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) bt #0 0x000000302532f4f5 in *__GI_raise (sig=Variable "sig" is not available. ) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x0000003025330e40 in *__GI_abort () at abort.c:88 #2 0x0000003025366a6b in __libc_message (do_abort=2, fmt=0x30254185e8 "*** buffer overflow detected ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 #3 0x00000030253dfaef in *__GI___chk_fail () at chk_fail.c:31 #4 0x00000030253df0a9 in _IO_str_chk_overflow (fp=Variable "fp" is not available. ) at vsprintf_chk.c:35 #5 0x000000302536a369 in _IO_default_xsputn (f=0x7fffcdbb9260, data=Variable "data" is not available. ) at genops.c:480 #6 0x0000003025342918 in _IO_vfprintf_internal (s=0x7fffcdbb9260, format=Variable "format" is not available. ) at vfprintf.c:1558 #7 0x00000030253df14d in ___vsprintf_chk (s=0x7fffcdbb9e50 "5AB77B4BEA32C5F", flags=1, slen=16, format=0x4252cc "%08lX", args=0x7fffcdbb9390) at vsprintf_chk.c:87 #8 0x00000030253df090 in ___sprintf_chk (s=Variable "s" is not available. ) at sprintf_chk.c:33 #9 0x0000000000407a53 in crm_preprocessor (csl=0x53a010, flags=Variable "flags" is not available. ) at crm_preprocessor.c:315 #10 0x0000000000403054 in main (argc=2, argv=0x7fffcdbb9ff8) at crm_main.c:615
In the source, this corresponds to a call in CRM114 (not TRE) to sprintf that *should* have adequate space (an 8-character format, fixed data, into a 16-character buffer. It works fine on 32-bit GCC. We'll test this with a much-enlarged buffer and see if this a 64-bit bug or what. Note: I personally don't have a 64-bit machine, so the original reporter (Dominik) needs to do the testing on this. - Bill Yerazunis ( CRM114 Team)
Yes, looks like I misread the crash dump. Reassigning to crm114 component (which I'm the maintainer of, too).
Enlarging the buffer by a factor of two eliminates the crash, but make megatest shows some unexpected differences, investigating...
Finally fixed.