Bug 247864 - nvram sysfs attribute violates read() semantics
Summary: nvram sysfs attribute violates read() semantics
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Bryn M. Reeves
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-11 19:18 UTC by Bryn M. Reeves
Modified: 2014-06-09 11:09 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-06-02 13:18:40 UTC


Attachments (Terms of Use)

Description Bryn M. Reeves 2007-07-11 19:18:44 UTC
Description of problem:
Current development version of udevinfo seems to have a stack buffer overflow:

# udevinfo -ap /block/sdb &> udevinfo.out
*** stack smashing detected ***: udevinfo terminated
Aborted (core dumped)


Version-Release number of selected component (if applicable):
udev-095-14.9.el5

How reproducible:
100% on this system

Steps to Reproduce:
1. Run "udevinfo -ap" on an entry in /sys/block, e.g.:
# udevinfo -ap /block/sdb
  
Actual results:


Expected results:
*** stack smashing detected ***: udevinfo terminated
Aborted (core dumped)

Additional info:
Always seems to die at:

  looking at parent device
'/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1':
    ID=="host1"
    BUS==""
    DRIVER==""
    SYSFS{optrom}==""

Comment 1 Bryn M. Reeves 2007-07-11 19:22:55 UTC
#0  0x00002aaaab154045 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00002aaaab154045 in raise () from /lib64/libc.so.6
#1  0x00002aaaab155ae0 in abort () from /lib64/libc.so.6
#2  0x00002aaaab18c1bb in __libc_message () from /lib64/libc.so.6
#3  0x00002aaaab2071df in __stack_chk_fail () from /lib64/libc.so.6
#4  0x0000555555558f12 in sysfs_attr_get_value (
    devpath=0x8 <Address 0x8 out of bounds>, attr_name=0x55556e446140 "�_DnUU")
    at udev_sysfs.c:399
#5  0x0000000000000000 in ?? ()


Comment 2 Bryn M. Reeves 2007-07-11 20:13:12 UTC
Sorry Harald - this is the kernel's doing, not udev:

open("/sys/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1/nvram",
O_RDONLY) = 8
read(8, "ISP \1\0\1\0\6\244\0\10\0\1\0\1\10\1!\0\0\340\213\217#"..., 128) = 256
close(8)                                = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = 8


Comment 3 Bryn M. Reeves 2007-07-11 20:14:56 UTC
Attempting to read 128 bytes from this attribute:

/sys/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1/nvram

Actually reads 256 bytes into the buffer in userspace. Oops:

open("/sys/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1/nvram",
O_RDONLY) = 8
read(8, "ISP \1\0\1\0\6\244\0\10\0\1\0\1\10\1!\0\0\340\213\217#"..., 128) = 256


Comment 4 Bryn M. Reeves 2007-07-11 20:15:32 UTC
Seeing this on 2.6.18-32.el5 x86_64

Comment 5 Bryn M. Reeves 2007-07-11 20:34:03 UTC
Bug still upstream:

commit 459c537807bd72cce7b007fb218bb5a658a6c3c1
Author: Andrew Vasquez <andrew.vasquez@qlogic.com>
Date:   Wed Jul 6 10:31:07 2005 -0700

    [SCSI] qla2xxx: Add ISP24xx flash-manipulation routines.
    
    Add ISP24xx flash-manipulation routines.
    
    Add read/write flash manipulation routines for the ISP24xx.
    Update sysfs NVRAM objects to use generalized accessor
    functions.
    
    Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
    Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>



Comment 7 Harald Hoyer 2007-07-13 10:04:37 UTC
then reassign to kernel

Comment 8 Bryn M. Reeves 2007-07-17 15:12:14 UTC
weird - I had, but for some reason bugzilla decided to ignore that

Comment 10 RHEL Product and Program Management 2014-03-07 13:44:16 UTC
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.

Comment 11 RHEL Product and Program Management 2014-06-02 13:18:40 UTC
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).


Note You need to log in before you can comment on or make changes to this bug.