Bug 247864 - nvram sysfs attribute violates read() semantics
nvram sysfs attribute violates read() semantics
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Bryn M. Reeves
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-11 15:18 EDT by Bryn M. Reeves
Modified: 2014-06-09 07:09 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-02 09:18:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bryn M. Reeves 2007-07-11 15:18:44 EDT
Description of problem:
Current development version of udevinfo seems to have a stack buffer overflow:

# udevinfo -ap /block/sdb &> udevinfo.out
*** stack smashing detected ***: udevinfo terminated
Aborted (core dumped)


Version-Release number of selected component (if applicable):
udev-095-14.9.el5

How reproducible:
100% on this system

Steps to Reproduce:
1. Run "udevinfo -ap" on an entry in /sys/block, e.g.:
# udevinfo -ap /block/sdb
  
Actual results:


Expected results:
*** stack smashing detected ***: udevinfo terminated
Aborted (core dumped)

Additional info:
Always seems to die at:

  looking at parent device
'/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1':
    ID=="host1"
    BUS==""
    DRIVER==""
    SYSFS{optrom}==""
Comment 1 Bryn M. Reeves 2007-07-11 15:22:55 EDT
#0  0x00002aaaab154045 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00002aaaab154045 in raise () from /lib64/libc.so.6
#1  0x00002aaaab155ae0 in abort () from /lib64/libc.so.6
#2  0x00002aaaab18c1bb in __libc_message () from /lib64/libc.so.6
#3  0x00002aaaab2071df in __stack_chk_fail () from /lib64/libc.so.6
#4  0x0000555555558f12 in sysfs_attr_get_value (
    devpath=0x8 <Address 0x8 out of bounds>, attr_name=0x55556e446140 "�_DnUU")
    at udev_sysfs.c:399
#5  0x0000000000000000 in ?? ()
Comment 2 Bryn M. Reeves 2007-07-11 16:13:12 EDT
Sorry Harald - this is the kernel's doing, not udev:

open("/sys/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1/nvram",
O_RDONLY) = 8
read(8, "ISP \1\0\1\0\6\244\0\10\0\1\0\1\10\1!\0\0\340\213\217#"..., 128) = 256
close(8)                                = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = 8
Comment 3 Bryn M. Reeves 2007-07-11 16:14:56 EDT
Attempting to read 128 bytes from this attribute:

/sys/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1/nvram

Actually reads 256 bytes into the buffer in userspace. Oops:

open("/sys/devices/pci0000:00/0000:00:02.0/0000:05:00.3/0000:0a:01.0/host1/nvram",
O_RDONLY) = 8
read(8, "ISP \1\0\1\0\6\244\0\10\0\1\0\1\10\1!\0\0\340\213\217#"..., 128) = 256
Comment 4 Bryn M. Reeves 2007-07-11 16:15:32 EDT
Seeing this on 2.6.18-32.el5 x86_64
Comment 5 Bryn M. Reeves 2007-07-11 16:34:03 EDT
Bug still upstream:

commit 459c537807bd72cce7b007fb218bb5a658a6c3c1
Author: Andrew Vasquez <andrew.vasquez@qlogic.com>
Date:   Wed Jul 6 10:31:07 2005 -0700

    [SCSI] qla2xxx: Add ISP24xx flash-manipulation routines.
    
    Add ISP24xx flash-manipulation routines.
    
    Add read/write flash manipulation routines for the ISP24xx.
    Update sysfs NVRAM objects to use generalized accessor
    functions.
    
    Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
    Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

Comment 7 Harald Hoyer 2007-07-13 06:04:37 EDT
then reassign to kernel
Comment 8 Bryn M. Reeves 2007-07-17 11:12:14 EDT
weird - I had, but for some reason bugzilla decided to ignore that
Comment 10 RHEL Product and Program Management 2014-03-07 08:44:16 EST
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 11 RHEL Product and Program Management 2014-06-02 09:18:40 EDT
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).

Note You need to log in before you can comment on or make changes to this bug.