Bug 437086 - xen: buffer overflow detected: qcow-create terminated
xen: buffer overflow detected: qcow-create terminated
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: xen (Show other bugs)
5.2
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Daniel Berrange
Virtualization Bugs
: ZStream
: 251330 (view as bug list)
Depends On: 437087 437088
Blocks: 391501 448899 449772 454651
  Show dependency treegraph
 
Reported: 2008-03-12 07:03 EDT by Jan Lieskovsky
Modified: 2010-10-22 19:11 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:11:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix buflens for args to realpath() (1.56 KB, patch)
2008-07-09 06:40 EDT, Daniel Berrange
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2008-03-12 07:03:19 EDT
Description of problem:

The following bug has been reported to the upstream Xen bug tracker:

qcow-create fails printing '*** buffer overflow detected ***' with a backtrace.

Version applicable:
Successfully reproduced on latest rhel-5 xen (xen-3.0.3-41.el5).

How reproducible:
Always

Steps to reproduce:
1, dd if=/dev/zero of=backing.store.img bs=1M count=10
2, mke2fs -j backing.store.img 
3, qcow-create 10 qcow.img backing.store.img 

Actual results:

Buffer overflow experienced and qcow-create terminated.

Expected results:

Successfull qcow image creation || error message:
"Inproper format of input file".

Link to Xen upstream bug tracker:

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1077

Link to proposed patch:

http://bugzilla.xensource.com/bugzilla/attachment.cgi?id=679
Comment 3 Jan Lieskovsky 2008-03-12 07:42:17 EDT
Closing this one -- when the local, uprivileged user has even no chance
to create a malicious virt machine image (inproper input file detected
by "glibc"), and provide it to the root to run it in order to force the
whole kernel-xen crash, seems there is no way how this one could be
misused. (But the clones still worthy to be fixed in particular rhel-5
xen packages).
Comment 4 Jan Lieskovsky 2008-03-12 08:48:28 EDT
Have closed the clones, reopened this one (this is the proper handling
of such cases).
Comment 5 Chris Lalancette 2008-03-25 16:56:04 EDT
*** Bug 251330 has been marked as a duplicate of this bug. ***
Comment 11 RHEL Product and Program Management 2008-06-02 16:14:19 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 14 Daniel Berrange 2008-07-04 12:53:01 EDT
Ok, I finally understand why this is happening and why the upstream patch fixes
it. The 'realpath()' method specification mandates that the second argument be
exactly PATH_MAX in size. The qcow code was only giving it a 1024 byte array,
and even though the path in question would fit in this, the GLibC FORTIFY_SOURCE
checks were flagging the fact that the 2nd arg was not large enough to comply
with spec and thus aborting. So, approve for 5.3 and 5.2.x z-stream if desired.
Comment 16 Daniel Berrange 2008-07-09 06:40:45 EDT
Created attachment 311361 [details]
Fix buflens for args to realpath()
Comment 19 Daniel Berrange 2008-07-21 06:48:41 EDT
Built into xen-3.0.3-67.el5
Comment 20 Daniel Berrange 2008-07-21 07:29:26 EDT
Correction,  xen-3.0.3-68.el5

Comment 28 Issue Tracker 2008-11-07 18:26:49 EST
Good news! I'll set the resolution code on the IT ticket to RHEL 5.3.

Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 5.3'

This event sent from IssueTracker by gcase 
 issue 170675
Comment 30 errata-xmlrpc 2009-01-20 16:11:34 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0118.html

Note You need to log in before you can comment on or make changes to this bug.