Bug 397531 - Freeciv FORTIFY failure during autosave
Summary: Freeciv FORTIFY failure during autosave
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: freeciv
Version: 8
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Brian Pepple
QA Contact: Fedora Extras Quality Assurance
URL: http://rt.freeciv.org/SelfService/Dis...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-24 00:49 UTC by Jerry James
Modified: 2007-12-07 21:33 UTC (History)
0 users

Fixed In Version: 2.1.1-1.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-12-07 21:33:58 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jerry James 2007-11-24 00:49:41 UTC 
Description of problem:
If you play freeciv long enough, an autosave will eventually fail a FORTIFY
check and cause the server to die with the autosave file only partially written.
 Glibc says:

*** buffer overflow detected ***: civserver terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x4b7b58]
/lib/libc.so.6[0x4b6200]
civserver[0x8091ab1]
civserver[0x8093cc7]
civserver[0x80510b2]
civserver[0x8051341]
civserver[0x805200b]
civserver[0x805317e]
civserver[0x804a8ad]
/lib/libc.so.6(__libc_start_main+0xe0)[0x3e4390]
civserver(rl_filename_completion_function+0x339)[0x804a281]
======= Memory map: ========
00101000-0010c000 r-xp 00000000 fd:00 9864778    /lib/libgcc_s-4.1.2-20070925.so.1
0010c000-0010d000 rwxp 0000a000 fd:00 9864778    /lib/libgcc_s-4.1.2-20070925.so.1
00110000-00111000 r-xp 00110000 00:00 0          [vdso]
00111000-0015e000 r-xp 00000000 fd:00 34153655   /usr/lib/libbind.so.4.0.9
0015e000-00160000 rwxp 0004d000 fd:00 34153655   /usr/lib/libbind.so.4.0.9
0026c000-0029c000 r-xp 00000000 fd:00 32245853   /usr/lib/libreadline.so.5.2
0029c000-002a0000 rwxp 00030000 fd:00 32245853   /usr/lib/libreadline.so.5.2
002a0000-002a1000 rwxp 002a0000 00:00 0 
002ed000-00302000 r-xp 00000000 fd:00 9863239    /lib/libtinfo.so.5.6
00302000-00305000 rwxp 00014000 fd:00 9863239    /lib/libtinfo.so.5.6
003af000-003ca000 r-xp 00000000 fd:00 9864753    /lib/ld-2.7.so
003ca000-003cb000 r-xp 0001a000 fd:00 9864753    /lib/ld-2.7.so
003cb000-003cc000 rwxp 0001b000 fd:00 9864753    /lib/ld-2.7.so
003ce000-00521000 r-xp 00000000 fd:00 9864754    /lib/libc-2.7.so
00521000-00523000 r-xp 00153000 fd:00 9864754    /lib/libc-2.7.so
00523000-00524000 rwxp 00155000 fd:00 9864754    /lib/libc-2.7.so
00524000-00527000 rwxp 00524000 00:00 0 
00529000-00550000 r-xp 00000000 fd:00 9864758    /lib/libm-2.7.so
00550000-00551000 r-xp 00026000 fd:00 9864758    /lib/libm-2.7.so
00551000-00552000 rwxp 00027000 fd:00 9864758    /lib/libm-2.7.so
0055b000-00570000 r-xp 00000000 fd:00 9864756    /lib/libpthread-2.7.so
00570000-00571000 r-xp 00014000 fd:00 9864756    /lib/libpthread-2.7.so
00571000-00572000 rwxp 00015000 fd:00 9864756    /lib/libpthread-2.7.so
00572000-00574000 rwxp 00572000 00:00 0 
00576000-00588000 r-xp 00000000 fd:00 9864757    /lib/libz.so.1.2.3
00588000-00589000 rwxp 00011000 fd:00 9864757    /lib/libz.so.1.2.3
00b2c000-00b41000 r-xp 00000000 fd:00 9864767    /lib/libnsl-2.7.so
00b41000-00b42000 r-xp 00014000 fd:00 9864767    /lib/libnsl-2.7.so
00b42000-00b43000 rwxp 00015000 fd:00 9864767    /lib/libnsl-2.7.so
00b43000-00b45000 rwxp 00b43000 00:00 0 
08047000-0819a000 r-xp 00000000 fd:00 34167870   /usr/bin/civserver
0819a000-0819d000 rw-p 00153000 fd:00 34167870   /usr/bin/civserver
0819d000-082f3000 rw-p 0819d000 00:00 0 
09f79000-0aa27000 rw-p 09f79000 00:00 0 
b7c31000-b7ce2000 rw-p b7c31000 00:00 0 
b7d43000-b7f43000 r--p 00000000 fd:00 34147534   /usr/lib/locale/locale-archive
b7f43000-b7f46000 rw-p b7f43000 00:00 0 
b7f51000-b7f74000 rw-p b7f51000 00:00 0 
b7f74000-b7f7b000 r--s 00000000 fd:00 34277598   /usr/lib/gconv/gconv-modules.cache
bfb76000-bfbc4000 rw-p bffb1000 00:00 0          [stack]
2: lost connection to server

With gdb, I was able to determine that the dying address corresponds to the
memcpy on line 3366 of server/savegame.c.

Version-Release number of selected component (if applicable):
freeciv-2.1.0-1.fc8

How reproducible:
Always, if I play long enough.  It can take a couple of hours of playing to
trigger the bug.

Steps to Reproduce:
1. Play freeciv for a couple of hours
  
Actual results:
An autosave triggers a FORTIFY failure, causing the server to shut down.

Expected results:
The autosave should succeed.

Additional info:
Comment 1 Jerry James 2007-11-24 03:52:38 UTC 
I see the problem.  The part array, declared at line 3342, has size PART_SIZE +
1.  The variable bytes_adjust, declared at line 3339, is set to bytes_at_colon %
3; i.e., its value is 0, 1, or 2.  The variable size_of_current_part, declared
at line 3363, is PART_SIZE + bytes_adjust; i.e., it is at most PART_SIZE + 2. 
But then the offending memcpy copies size_of_current_part bytes into part,
possibly overflowing it by one byte.  The fix is to declare part as having size
PART_SIZE + 2.
Comment 2 Jerry James 2007-11-24 04:11:00 UTC 
I have now filed this bug upstream (#39898), and supplied them with a patch. 
See the bug URL.
Comment 3 Fedora Update System 2007-11-26 18:44:00 UTC 
freeciv-2.1.0-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freeciv'
Comment 4 Fedora Update System 2007-12-03 11:49:15 UTC 
freeciv-2.1.1-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update freeciv'
Comment 5 Fedora Update System 2007-12-07 21:33:57 UTC 
freeciv-2.1.1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.