538047 – Any use of QEMU's vvfat driver always abort()s the whole process

Bug 538047 - Any use of QEMU's vvfat driver always abort()s the whole process

Summary: Any use of QEMU's vvfat driver always abort()s the whole process

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	qemu
Sub Component:
Version:	12
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Justin M. Forbes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F12VirtTarget
TreeView+	depends on / blocked

Reported:	2009-11-17 12:26 UTC by Daniel Berrangé
Modified:	2010-12-04 03:15 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	538056 (view as bug list)
Environment:
Last Closed:	2010-12-04 03:15:46 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Berrangé 2009-11-17 12:26:02 UTC

Description of problem:
# /usr/bin/qemu -fda fat:/tmp/test
*** buffer overflow detected ***: /usr/bin/qemu terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x316c5d]
/lib/libc.so.6[0x314d7a]
/lib/libc.so.6[0x3146c9]
/lib/libc.so.6(__snprintf_chk+0x34)[0x3145b4]
/usr/bin/qemu[0x80c6ac0]
/usr/bin/qemu[0x80b6fe8]
/usr/bin/qemu[0x805238b]
/usr/bin/qemu[0x80530fd]
/lib/libc.so.6(__libc_start_main+0xe6)[0x239bb6]
/usr/bin/qemu[0x804d8c1]
======= Memory map: ========
00110000-00161000 r-xp 00000000 fd:00 2401951    /usr/lib/libpulsecommon-0.9.19.so
00161000-00162000 rw-p 00051000 fd:00 2401951    /usr/lib/libpulsecommon-0.9.19.so
001ee000-001f0000 r-xp 00000000 fd:00 2162897    /lib/libutil-2.11.so
001f0000-001f1000 r--p 00001000 fd:00 2162897    /lib/libutil-2.11.so
001f1000-001f2000 rw-p 00002000 fd:00 2162897    /lib/libutil-2.11.so
001f4000-001f7000 r-xp 00000000 fd:00 2162900    /lib/libgpg-error.so.0.4.0
001f7000-001f8000 rw-p 00002000 fd:00 2162900    /lib/libgpg-error.so.0.4.0
001fd000-0021b000 r-xp 00000000 fd:00 2162690    /lib/ld-2.11.so
0021b000-0021c000 r--p 0001d000 fd:00 2162690    /lib/ld-2.11.so
0021c000-0021d000 rw-p 0001e000 fd:00 2162690    /lib/ld-2.11.so
00223000-00391000 r-xp 00000000 fd:00 2162710    /lib/libc-2.11.so
00391000-00392000 ---p 0016e000 fd:00 2162710    /lib/libc-2.11.so
00392000-00394000 r--p 0016e000 fd:00 2162710    /lib/libc-2.11.so
00394000-00395000 rw-p 00170000 fd:00 2162710    /lib/libc-2.11.so
00395000-00398000 rw-p 00000000 00:00 0 
0039a000-003c2000 r-xp 00000000 fd:00 2162744    /lib/libm-2.11.so
003c2000-003c3000 r--p 00027000 fd:00 2162744    /lib/libm-2.11.so
003c3000-003c4000 rw-p 00028000 fd:00 2162744    /lib/libm-2.11.so
003c6000-003c9000 r-xp 00000000 fd:00 2162738    /lib/libdl-2.11.so
003c9000-003ca000 r--p 00002000 fd:00 2162738    /lib/libdl-2.11.so
003ca000-003cb000 rw-p 00003000 fd:00 2162738    /lib/libdl-2.11.so
003cd000-003e3000 r-xp 00000000 fd:00 2162717    /lib/libpthread-2.11.so
003e3000-003e4000 r--p 00015000 fd:00 2162717    /lib/libpthread-2.11.so
003e4000-003e5000 rw-p 00016000 fd:00 2162717    /lib/libpthread-2.11.so
003e5000-003e7000 rw-p 00000000 00:00 0 
003e9000-003fb000 r-xp 00000000 fd:00 2162742    /lib/libz.so.1.2.3
003fb000-003fc000 rw-p 00011000 fd:00 2162742    /lib/libz.so.1.2.3
003fe000-00405000 r-xp 00000000 fd:00 2162885    /lib/librt-2.11.so
00405000-00406000 r--p 00006000 fd:00 2162885    /lib/librt-2.11.so
00406000-00407000 rw-p 00007000 fd:00 2162885    /lib/librt-2.11.so
00409000-0040c000 r-xp 00000000 fd:00 2400389    /usr/lib/libpulse-simple.so.0.0.3
0040c000-0040d000 rw-p 00002000 fd:00 2400389    /usr/lib/libpulse-simple.so.0.0.3
00429000-0043d000 r-xp 00000000 fd:00 2162756    /lib/libresolv-2.11.so
0043d000-0043e000 ---p 00014000 fd:00 2162756    /lib/libresolv-2.11.so
0043e000-0043f000 r--p 00014000 fd:00 2162756    /lib/libresolv-2.11.so
0043f000-00440000 rw-p 00015000 fd:00 2162756    /lib/libresolv-2.11.so
00440000-00442000 rw-p 00000000 00:00 0 
0052f000-00663000 r-xp 00000000 fd:00 2392984    /usr/lib/libX11.so.6.3.0
00663000-00667000 rw-p 00133000 fd:00 2392984    /usr/lib/libX11.so.6.3.0
00669000-0066b000 r-xp 00000000 fd:00 2392948    /usr/lib/libXau.so.6.0.0
0066b000-0066c000 rw-p 00001000 fd:00 2392948    /usr/lib/libXau.so.6.0.0
0066e000-0068b000 r-xp 00000000 fd:00 2392972    /usr/lib/libxcb.so.1.1.0
0068b000-0068c000 rw-p 0001c000 fd:00 2392972    /usr/lib/libxcb.so.1.1.0
006d4000-006e4000 r-xp 00000000 fd:00 2393021    /usr/lib/libXext.so.6.4.0
006e4000-006e5000 rw-p 00010000 fd:00 2393021    /usr/lib/libXext.so.6.4.0
0081d000-0082a000 r-xp 00000000 fd:00 2393343    /usr/lib/libXi.so.6.1.0
0082a000-0082b000 rw-p 0000d000 fd:00 2393343    /usr/lib/libXi.so.6.1.0
0083f000-00843000 r-xp 00000000 fd:00 2162905    /lib/libcap-ng.so.0.0.0
00843000-00844000 r--p 00003000 fd:00 2162905    /lib/libcap-ng.so.0.0.0
00844000-00845000 rw-p 00004000 fd:00 2162905    /lib/libcap-ng.so.0.0.0
00851000-00896000 r-xp 00000000 fd:00 2162906    /lib/libdbus-1.so.3.4.0
00896000-00897000 r--p 00044000 fd:00 2162906    /lib/libdbus-1.so.3.4.0
00897000-00898000 rw-p 00045000 fd:00 2162906    /lib/libdbus-1.so.3.4.0
008a6000-008c3000 r-xp 00000000 fd:00 2162779    /lib/libgcc_s-4.4.2-20091027.so.1
008c3000-008c4000 rw-p 0001c000 fd:00 2162779    /lib/libgcc_s-4.4.2-20091027.so.1
00979000-0097d000 r-xp 00000000 fd:00 2162825    /lib/libuuid.so.1.3.0
0097d000-0097e000 rw-p 00003000 fd:00 2162825    /lib/libuuid.so.1.3.0
009a9000-009aa000 r-xp 00000000 00:00 0          [vdso]
009ec000-009f7000 r-xp 00000000 fd:00 2163143    /lib/libnss_files-2.11.so
009f7000-009f8000 r--p 0000a000 fd:00 2163143    /lib/libnss_files-2.11.so
009f8000-009f9000 rw-p 0000b000 fd:00 2163143    /lib/libnss_files-2.11.so
00af7000-00b58000 r-xp 00000000 fd:00 2401936    /usr/lib/libsndfile.so.1.0.20
00b58000-00b5a000 rw-p 00060000 fd:00 2401936    /usr/lib/libsndfile.so.1.0.20
00b5a000-00b5e000 rw-p 00000000 00:00 0 
00b60000-00ba3000 r-xp 00000000 fd:00 2402002    /usr/lib/libpulse.so.0.12.0
00ba3000-00ba4000 rw-p 00043000 fd:00 2402002    /usr/lib/libpulse.so.0.12.0
00ba6000-00bae000 r-xp 00000000 fd:00 2162957    /lib/libwrap.so.0.7.6
00bae000-00baf000 rw-p 00008000 fd:00 2162957    /lib/libwrap.so.0.7.6
00bcb000-00be4000 r-xp 00000000 fd:00 2402838    /usr/lib/libsasl2.so.2.0.23
00be4000-00be5000 rw-p 00018000 fd:00 2402838    /usr/lib/libsasl2.so.2.0.23
00c05000-00c0a000 r-xp 00000000 fd:00 2401938    /usr/lib/libasyncns.so.0.3.1
00c0a000-00c0b000 rw-p 00004000 fd:00 2401938    /usr/lib/libasyncns.so.0.3.1
00c2a000-00c31000 r-xp 00000000 fd:00 2163131    /lib/libcrypt-2.11.so
00c31000-00c32000 r--p 00007000 fd:00 2163131    /lib/libcrypt-2.11.so
00c32000-00c33000 rw-p 00008000 fd:00 2163131    /lib/libcrypt-2.11.so
00c33000-00c5a000 rw-p 00000000 00:00 0 
00dbb000-00dc2000 r-xp 00000000 fd:00 2393082    /usr/lib/libSM.so.6.0.0
00dc2000-00dc3000 rw-p 00006000 fd:00 2393082    /usr/lib/libSM.so.6.0.0
00dca000-00de1000 r-xp 00000000 fd:00 2393035    /usr/lib/libICE.so.6.3.0
00de1000-00de3000 rw-p 00016000 fd:00 2393035    /usr/lib/libICE.so.6.3.0
00de3000-00de4000 rw-p 00000000 00:00 0 
00f37000-00f7c000 r-xp 00000000 fd:00 1311602    /usr/lib/libfreebl3.so
00f7c000-00f7d000 rw-p 00044000 fd:00 1311602    /usr/lib/libfreebl3.so
00f7d000-00f81000 rw-p 00000000 00:00 0 
00f81000-02f81000 rwxp 00000000 00:00 0 
04dc2000-04dd3000 r-xp 00000000 fd:00 2394230    /usr/lib/libtasn1.so.3.1.6
04dd3000-04dd4000 rw-p 00010000 fd:00 2394230    /usr/lib/libtasn1.so.3.1.6
04de8000-04dfe000 r-xp 00000000 fd:00 2162929    /lib/libtinfo.so.5.7
04dfe000-04e01000 rw-p 00015000 fd:00 2162929    /lib/libtinfo.so.5.7
04e24000-04e29000 r-xp 00000000 fd:00 2399149    /usr/lib/libXtst.so.6.1.0
Program received signal SIGABRT, Aborted.


Running inside GDB I see

(gdb) bt
#0  0x009a9416 in __kernel_vsyscall ()
#1  0x0024da81 in raise () from /lib/libc.so.6
#2  0x0024f34a in abort () from /lib/libc.so.6
#3  0x0028ae5d in __libc_message () from /lib/libc.so.6
#4  0x00316c5d in __fortify_fail () from /lib/libc.so.6
#5  0x00314d7a in __chk_fail () from /lib/libc.so.6
#6  0x003146c9 in __vsnprintf_chk () from /lib/libc.so.6
#7  0x003145b4 in __snprintf_chk () from /lib/libc.so.6
#8  0x080c6ac0 in snprintf (__fmt=0x81bfe31 "QEMU VVFAT", __s=<value optimized out>, __n=<value optimized out>)
    at /usr/include/bits/stdio2.h:65
#9  init_directories (__fmt=0x81bfe31 "QEMU VVFAT", __s=<value optimized out>, __n=<value optimized out>) at block/vvfat.c:871
#10 vvfat_open (__fmt=0x81bfe31 "QEMU VVFAT", __s=<value optimized out>, __n=<value optimized out>) at block/vvfat.c:1068
#11 0x080b6fe8 in bdrv_open2 (bs=<value optimized out>, filename=<value optimized out>, flags=<value optimized out>, 
    drv=<value optimized out>) at block.c:417
#12 0x0805238b in drive_init (arg=<value optimized out>, snapshot=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.11.0/vl.c:2381
#13 0x080530fd in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.11.0/vl.c:5951



Looking at the code for line 8 in QEMU's  block/vvfat.c I see

    /* add volume label */
    {
        direntry_t* entry=array_get_next(&(s->directory));
        entry->attributes=0x28; /* archive | volume label */
        snprintf((char*)entry->name,11,"QEMU VVFAT");
    }


Notice how it is saying that  entry->name is 11 bytes long. This is a total lie

  typedef struct direntry_t {
    uint8_t name[8];
    uint8_t extension[3];
    uint8_t attributes;
    uint8_t reserved[2];
    uint16_t ctime;
    ....snip....


It is essentially relying on a delibrate buffer overflow into the extension field, and GCC/GLibC are quite rightly throwing up their hands in horror & abort()ing the process.


Version-Release number of selected component (if applicable):
qemu-0.11.0-11.fc12.i686

How reproducible:
Always

Steps to Reproduce:
1.# /usr/bin/qemu -fda fat:/tmp/test
2.
3.
  
Actual results:
Aborts

Expected results:
Runs !

Additional info:

Comment 1 Daniel Berrangé 2009-11-17 12:36:36 UTC

Of course the reason upstream QEMU does not see this behaviour is that the configure script stupidly turns off FORTIFY_SOURCE to get rid of compile warnings, including the compile warning telling them about the obvious buffer overflow :-(


In function ‘snprintf’,
    inlined from ‘init_directories’ at block/vvfat.c:871,
    inlined from ‘vvfat_open’ at block/vvfat.c:1068:
/usr/include/bits/stdio2.h:65: warning: call to __builtin___snprintf_chk will always overflow destination buffer

Comment 2 Fedora Admin XMLRPC Client 2010-03-09 17:19:03 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 3 Bug Zapper 2010-11-04 06:17:52 UTC

This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Bug Zapper 2010-12-04 03:15:46 UTC

Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.