Bug 538047 - Any use of QEMU's vvfat driver always abort()s the whole process
Any use of QEMU's vvfat driver always abort()s the whole process
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: qemu (Show other bugs)
12
All Linux
medium Severity medium
: ---
: ---
Assigned To: Justin M. Forbes
Fedora Extras Quality Assurance
: Triaged
Depends On:
Blocks: F12VirtTarget
  Show dependency treegraph
 
Reported: 2009-11-17 07:26 EST by Daniel Berrange
Modified: 2010-12-03 22:15 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 538056 (view as bug list)
Environment:
Last Closed: 2010-12-03 22:15:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Berrange 2009-11-17 07:26:02 EST
Description of problem:
# /usr/bin/qemu -fda fat:/tmp/test
*** buffer overflow detected ***: /usr/bin/qemu terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x316c5d]
/lib/libc.so.6[0x314d7a]
/lib/libc.so.6[0x3146c9]
/lib/libc.so.6(__snprintf_chk+0x34)[0x3145b4]
/usr/bin/qemu[0x80c6ac0]
/usr/bin/qemu[0x80b6fe8]
/usr/bin/qemu[0x805238b]
/usr/bin/qemu[0x80530fd]
/lib/libc.so.6(__libc_start_main+0xe6)[0x239bb6]
/usr/bin/qemu[0x804d8c1]
======= Memory map: ========
00110000-00161000 r-xp 00000000 fd:00 2401951    /usr/lib/libpulsecommon-0.9.19.so
00161000-00162000 rw-p 00051000 fd:00 2401951    /usr/lib/libpulsecommon-0.9.19.so
001ee000-001f0000 r-xp 00000000 fd:00 2162897    /lib/libutil-2.11.so
001f0000-001f1000 r--p 00001000 fd:00 2162897    /lib/libutil-2.11.so
001f1000-001f2000 rw-p 00002000 fd:00 2162897    /lib/libutil-2.11.so
001f4000-001f7000 r-xp 00000000 fd:00 2162900    /lib/libgpg-error.so.0.4.0
001f7000-001f8000 rw-p 00002000 fd:00 2162900    /lib/libgpg-error.so.0.4.0
001fd000-0021b000 r-xp 00000000 fd:00 2162690    /lib/ld-2.11.so
0021b000-0021c000 r--p 0001d000 fd:00 2162690    /lib/ld-2.11.so
0021c000-0021d000 rw-p 0001e000 fd:00 2162690    /lib/ld-2.11.so
00223000-00391000 r-xp 00000000 fd:00 2162710    /lib/libc-2.11.so
00391000-00392000 ---p 0016e000 fd:00 2162710    /lib/libc-2.11.so
00392000-00394000 r--p 0016e000 fd:00 2162710    /lib/libc-2.11.so
00394000-00395000 rw-p 00170000 fd:00 2162710    /lib/libc-2.11.so
00395000-00398000 rw-p 00000000 00:00 0 
0039a000-003c2000 r-xp 00000000 fd:00 2162744    /lib/libm-2.11.so
003c2000-003c3000 r--p 00027000 fd:00 2162744    /lib/libm-2.11.so
003c3000-003c4000 rw-p 00028000 fd:00 2162744    /lib/libm-2.11.so
003c6000-003c9000 r-xp 00000000 fd:00 2162738    /lib/libdl-2.11.so
003c9000-003ca000 r--p 00002000 fd:00 2162738    /lib/libdl-2.11.so
003ca000-003cb000 rw-p 00003000 fd:00 2162738    /lib/libdl-2.11.so
003cd000-003e3000 r-xp 00000000 fd:00 2162717    /lib/libpthread-2.11.so
003e3000-003e4000 r--p 00015000 fd:00 2162717    /lib/libpthread-2.11.so
003e4000-003e5000 rw-p 00016000 fd:00 2162717    /lib/libpthread-2.11.so
003e5000-003e7000 rw-p 00000000 00:00 0 
003e9000-003fb000 r-xp 00000000 fd:00 2162742    /lib/libz.so.1.2.3
003fb000-003fc000 rw-p 00011000 fd:00 2162742    /lib/libz.so.1.2.3
003fe000-00405000 r-xp 00000000 fd:00 2162885    /lib/librt-2.11.so
00405000-00406000 r--p 00006000 fd:00 2162885    /lib/librt-2.11.so
00406000-00407000 rw-p 00007000 fd:00 2162885    /lib/librt-2.11.so
00409000-0040c000 r-xp 00000000 fd:00 2400389    /usr/lib/libpulse-simple.so.0.0.3
0040c000-0040d000 rw-p 00002000 fd:00 2400389    /usr/lib/libpulse-simple.so.0.0.3
00429000-0043d000 r-xp 00000000 fd:00 2162756    /lib/libresolv-2.11.so
0043d000-0043e000 ---p 00014000 fd:00 2162756    /lib/libresolv-2.11.so
0043e000-0043f000 r--p 00014000 fd:00 2162756    /lib/libresolv-2.11.so
0043f000-00440000 rw-p 00015000 fd:00 2162756    /lib/libresolv-2.11.so
00440000-00442000 rw-p 00000000 00:00 0 
0052f000-00663000 r-xp 00000000 fd:00 2392984    /usr/lib/libX11.so.6.3.0
00663000-00667000 rw-p 00133000 fd:00 2392984    /usr/lib/libX11.so.6.3.0
00669000-0066b000 r-xp 00000000 fd:00 2392948    /usr/lib/libXau.so.6.0.0
0066b000-0066c000 rw-p 00001000 fd:00 2392948    /usr/lib/libXau.so.6.0.0
0066e000-0068b000 r-xp 00000000 fd:00 2392972    /usr/lib/libxcb.so.1.1.0
0068b000-0068c000 rw-p 0001c000 fd:00 2392972    /usr/lib/libxcb.so.1.1.0
006d4000-006e4000 r-xp 00000000 fd:00 2393021    /usr/lib/libXext.so.6.4.0
006e4000-006e5000 rw-p 00010000 fd:00 2393021    /usr/lib/libXext.so.6.4.0
0081d000-0082a000 r-xp 00000000 fd:00 2393343    /usr/lib/libXi.so.6.1.0
0082a000-0082b000 rw-p 0000d000 fd:00 2393343    /usr/lib/libXi.so.6.1.0
0083f000-00843000 r-xp 00000000 fd:00 2162905    /lib/libcap-ng.so.0.0.0
00843000-00844000 r--p 00003000 fd:00 2162905    /lib/libcap-ng.so.0.0.0
00844000-00845000 rw-p 00004000 fd:00 2162905    /lib/libcap-ng.so.0.0.0
00851000-00896000 r-xp 00000000 fd:00 2162906    /lib/libdbus-1.so.3.4.0
00896000-00897000 r--p 00044000 fd:00 2162906    /lib/libdbus-1.so.3.4.0
00897000-00898000 rw-p 00045000 fd:00 2162906    /lib/libdbus-1.so.3.4.0
008a6000-008c3000 r-xp 00000000 fd:00 2162779    /lib/libgcc_s-4.4.2-20091027.so.1
008c3000-008c4000 rw-p 0001c000 fd:00 2162779    /lib/libgcc_s-4.4.2-20091027.so.1
00979000-0097d000 r-xp 00000000 fd:00 2162825    /lib/libuuid.so.1.3.0
0097d000-0097e000 rw-p 00003000 fd:00 2162825    /lib/libuuid.so.1.3.0
009a9000-009aa000 r-xp 00000000 00:00 0          [vdso]
009ec000-009f7000 r-xp 00000000 fd:00 2163143    /lib/libnss_files-2.11.so
009f7000-009f8000 r--p 0000a000 fd:00 2163143    /lib/libnss_files-2.11.so
009f8000-009f9000 rw-p 0000b000 fd:00 2163143    /lib/libnss_files-2.11.so
00af7000-00b58000 r-xp 00000000 fd:00 2401936    /usr/lib/libsndfile.so.1.0.20
00b58000-00b5a000 rw-p 00060000 fd:00 2401936    /usr/lib/libsndfile.so.1.0.20
00b5a000-00b5e000 rw-p 00000000 00:00 0 
00b60000-00ba3000 r-xp 00000000 fd:00 2402002    /usr/lib/libpulse.so.0.12.0
00ba3000-00ba4000 rw-p 00043000 fd:00 2402002    /usr/lib/libpulse.so.0.12.0
00ba6000-00bae000 r-xp 00000000 fd:00 2162957    /lib/libwrap.so.0.7.6
00bae000-00baf000 rw-p 00008000 fd:00 2162957    /lib/libwrap.so.0.7.6
00bcb000-00be4000 r-xp 00000000 fd:00 2402838    /usr/lib/libsasl2.so.2.0.23
00be4000-00be5000 rw-p 00018000 fd:00 2402838    /usr/lib/libsasl2.so.2.0.23
00c05000-00c0a000 r-xp 00000000 fd:00 2401938    /usr/lib/libasyncns.so.0.3.1
00c0a000-00c0b000 rw-p 00004000 fd:00 2401938    /usr/lib/libasyncns.so.0.3.1
00c2a000-00c31000 r-xp 00000000 fd:00 2163131    /lib/libcrypt-2.11.so
00c31000-00c32000 r--p 00007000 fd:00 2163131    /lib/libcrypt-2.11.so
00c32000-00c33000 rw-p 00008000 fd:00 2163131    /lib/libcrypt-2.11.so
00c33000-00c5a000 rw-p 00000000 00:00 0 
00dbb000-00dc2000 r-xp 00000000 fd:00 2393082    /usr/lib/libSM.so.6.0.0
00dc2000-00dc3000 rw-p 00006000 fd:00 2393082    /usr/lib/libSM.so.6.0.0
00dca000-00de1000 r-xp 00000000 fd:00 2393035    /usr/lib/libICE.so.6.3.0
00de1000-00de3000 rw-p 00016000 fd:00 2393035    /usr/lib/libICE.so.6.3.0
00de3000-00de4000 rw-p 00000000 00:00 0 
00f37000-00f7c000 r-xp 00000000 fd:00 1311602    /usr/lib/libfreebl3.so
00f7c000-00f7d000 rw-p 00044000 fd:00 1311602    /usr/lib/libfreebl3.so
00f7d000-00f81000 rw-p 00000000 00:00 0 
00f81000-02f81000 rwxp 00000000 00:00 0 
04dc2000-04dd3000 r-xp 00000000 fd:00 2394230    /usr/lib/libtasn1.so.3.1.6
04dd3000-04dd4000 rw-p 00010000 fd:00 2394230    /usr/lib/libtasn1.so.3.1.6
04de8000-04dfe000 r-xp 00000000 fd:00 2162929    /lib/libtinfo.so.5.7
04dfe000-04e01000 rw-p 00015000 fd:00 2162929    /lib/libtinfo.so.5.7
04e24000-04e29000 r-xp 00000000 fd:00 2399149    /usr/lib/libXtst.so.6.1.0
Program received signal SIGABRT, Aborted.


Running inside GDB I see

(gdb) bt
#0  0x009a9416 in __kernel_vsyscall ()
#1  0x0024da81 in raise () from /lib/libc.so.6
#2  0x0024f34a in abort () from /lib/libc.so.6
#3  0x0028ae5d in __libc_message () from /lib/libc.so.6
#4  0x00316c5d in __fortify_fail () from /lib/libc.so.6
#5  0x00314d7a in __chk_fail () from /lib/libc.so.6
#6  0x003146c9 in __vsnprintf_chk () from /lib/libc.so.6
#7  0x003145b4 in __snprintf_chk () from /lib/libc.so.6
#8  0x080c6ac0 in snprintf (__fmt=0x81bfe31 "QEMU VVFAT", __s=<value optimized out>, __n=<value optimized out>)
    at /usr/include/bits/stdio2.h:65
#9  init_directories (__fmt=0x81bfe31 "QEMU VVFAT", __s=<value optimized out>, __n=<value optimized out>) at block/vvfat.c:871
#10 vvfat_open (__fmt=0x81bfe31 "QEMU VVFAT", __s=<value optimized out>, __n=<value optimized out>) at block/vvfat.c:1068
#11 0x080b6fe8 in bdrv_open2 (bs=<value optimized out>, filename=<value optimized out>, flags=<value optimized out>, 
    drv=<value optimized out>) at block.c:417
#12 0x0805238b in drive_init (arg=<value optimized out>, snapshot=<value optimized out>, opaque=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.11.0/vl.c:2381
#13 0x080530fd in main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>)
    at /usr/src/debug/qemu-kvm-0.11.0/vl.c:5951



Looking at the code for line 8 in QEMU's  block/vvfat.c I see

    /* add volume label */
    {
        direntry_t* entry=array_get_next(&(s->directory));
        entry->attributes=0x28; /* archive | volume label */
        snprintf((char*)entry->name,11,"QEMU VVFAT");
    }


Notice how it is saying that  entry->name is 11 bytes long. This is a total lie

  typedef struct direntry_t {
    uint8_t name[8];
    uint8_t extension[3];
    uint8_t attributes;
    uint8_t reserved[2];
    uint16_t ctime;
    ....snip....


It is essentially relying on a delibrate buffer overflow into the extension field, and GCC/GLibC are quite rightly throwing up their hands in horror & abort()ing the process.


Version-Release number of selected component (if applicable):
qemu-0.11.0-11.fc12.i686

How reproducible:
Always

Steps to Reproduce:
1.# /usr/bin/qemu -fda fat:/tmp/test
2.
3.
  
Actual results:
Aborts

Expected results:
Runs !

Additional info:
Comment 1 Daniel Berrange 2009-11-17 07:36:36 EST
Of course the reason upstream QEMU does not see this behaviour is that the configure script stupidly turns off FORTIFY_SOURCE to get rid of compile warnings, including the compile warning telling them about the obvious buffer overflow :-(


In function ‘snprintf’,
    inlined from ‘init_directories’ at block/vvfat.c:871,
    inlined from ‘vvfat_open’ at block/vvfat.c:1068:
/usr/include/bits/stdio2.h:65: warning: call to __builtin___snprintf_chk will always overflow destination buffer
Comment 2 Fedora Admin XMLRPC Client 2010-03-09 12:19:03 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Bug Zapper 2010-11-04 02:17:52 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Bug Zapper 2010-12-03 22:15:46 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.