Description of problem: cpio crashes with buffer overflow when creating an ustar archive. Version-Release number of selected component (if applicable): cpio-2.9.90-5.fc11.x86_64 How reproducible: Every time Steps to Reproduce: 1. svn co http://svn.eionet.europa.eu/repositories/Naaya/trunk Naaya 2. cd Naaya 3. find -name .svn -prune -o -print0 | cpio -o -0 -H ustar | gzip > /dev/null Actual results: *** buffer overflow detected ***: cpio terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f1a6e141797] /lib64/libc.so.6[0x7f1a6e13f7f0] /lib64/libc.so.6(__strncpy_chk+0x17b)[0x7f1a6e13eaab] cpio[0x409cf4] cpio[0x405f7a] cpio[0x4061be] cpio[0x408a41] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7f1a6e068a2d] cpio[0x402659] ======= Memory map: ======== 00400000-0041e000 r-xp 00000000 fd:00 4585 /bin/cpio 0061e000-00620000 rw-p 0001e000 fd:00 4585 /bin/cpio 01f3e000-01f5f000 rw-p 00000000 00:00 0 [heap] 7f1a68d5d000-7f1a68d76000 r-xp 00000000 fd:00 205877 /lib64/libgcc_s-4.4.1-20090729.so.1 7f1a68d76000-7f1a68f76000 ---p 00019000 fd:00 205877 /lib64/libgcc_s-4.4.1-20090729.so.1 7f1a68f76000-7f1a68f77000 rw-p 00019000 fd:00 205877 /lib64/libgcc_s-4.4.1-20090729.so.1 7f1a68f77000-7f1a6e04a000 r--p 00000000 fd:00 43255 /usr/lib/locale/locale-archive 7f1a6e04a000-7f1a6e1ae000 r-xp 00000000 fd:00 2805 /lib64/libc-2.10.1.so 7f1a6e1ae000-7f1a6e3ae000 ---p 00164000 fd:00 2805 /lib64/libc-2.10.1.so 7f1a6e3ae000-7f1a6e3b2000 r--p 00164000 fd:00 2805 /lib64/libc-2.10.1.so 7f1a6e3b2000-7f1a6e3b3000 rw-p 00168000 fd:00 2805 /lib64/libc-2.10.1.so 7f1a6e3b3000-7f1a6e3b8000 rw-p 00000000 00:00 0 7f1a6e3b8000-7f1a6e3d7000 r-xp 00000000 fd:00 10150 /lib64/ld-2.10.1.so 7f1a6e5b3000-7f1a6e5b5000 rw-p 00000000 00:00 0 7f1a6e5d3000-7f1a6e5d6000 rw-p 00000000 00:00 0 7f1a6e5d6000-7f1a6e5d7000 r--p 0001e000 fd:00 10150 /lib64/ld-2.10.1.so 7f1a6e5d7000-7f1a6e5d8000 rw-p 0001f000 fd:00 10150 /lib64/ld-2.10.1.so 7fff3a70e000-7fff3a723000 rw-p 00000000 00:00 0 [stack] 7fff3a7e0000-7fff3a7e1000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Expected results: No errors Additional info: "cpio -o -0 -H newc" works fine I have glibc-2.10.1-5.x86_64 and libgcc-4.4.1-2.fc11.x86_64 my system.
Thanks for report, will check it.
Bad luck, doesn't crash on my machine, could you please install cpio debuginfo package and post the backtrace again? It would be good to have all the symbols... I'll try to reproduce it elsewhere, but this could take some time.
Created attachment 374886 [details] backtrace Backtrace of the crash is pretty useless since it's full of <value optimized out>. So I tried to recompile cpio with -O0, but then it was no longer possible to reproduce the crash. So I rebuild the sources with original cflags and, to my surprise, it also seemed to work, running through valgrind without any memory error detected. This means only the rebuild of cpio has resolved the problem on my box. I'll try to investigate it further.
... and now yet another surprise. I tried to rebuild it on Koji with/without optimization: http://koji.fedoraproject.org/koji/taskinfo?taskID=1839121 http://koji.fedoraproject.org/koji/taskinfo?taskID=1839139 And the results are following: 1) the -O0 build from Koji works (zero errors reported by valgrind) 2) the -O2 build from Koji causes the stack overflow Not yet tested if the results are random or reproducible ... however this looks like gcc/glibc stack protection magic to me.
(In reply to comment #3) > Backtrace of the crash is pretty useless since it's full of <value optimized > out>. Indeed. Here's an analysis of the core dumped when archiving revision 13673 of the repository: $ gdb /bin/cpio core.18274 GNU gdb (GDB) Fedora (6.8.50.20090302-39.fc11) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib64/libc-2.10.1.so...Reading symbols from /usr/lib/debug/lib64/libc-2.10.1.so.debug...done. done. Loaded symbols for /lib64/libc-2.10.1.so Reading symbols from /lib64/ld-2.10.1.so...Reading symbols from /usr/lib/debug/lib64/ld-2.10.1.so.debug...done. done. Loaded symbols for /lib64/ld-2.10.1.so Reading symbols from /lib64/libgcc_s-4.4.1-20090729.so.1...Reading symbols from /usr/lib/debug/lib64/libgcc_s-4.4.1-20090729.so.1.debug...done. done. Loaded symbols for /lib64/libgcc_s-4.4.1-20090729.so.1 Core was generated by `cpio -o -0 -H ustar'. Program terminated with signal 6, Aborted. #0 0x00007f6b746f02f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) thread apply all bt full Thread 1 (Thread 18274): #0 0x00007f6b746f02f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 pid = <value optimized out> selftid = <value optimized out> #1 0x00007f6b746f1b20 in *__GI_abort () at abort.c:88 act = {__sigaction_handler = {sa_handler = 0x300000009, sa_sigaction = 0x300000009}, sa_mask = {__val = {140733429945008, 140733429944864, 140733429945056, 140733429953195, 4, 140099492714028, 3, 140733429945066, 6, 140099492714032, 2, 140733429945054, 2, 140099492705269, 1, 140099492714028}}, sa_flags = 3, sa_restorer = 0x7fff0e1992e4} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007f6b7472d05d in __libc_message (do_abort=2, fmt=0x7fff0e199490 ' ' <repeats 11 times>, "/lib64/libc-2.10.1.so\n7f6b74a26000-7f6b74a2b000 rw-p 00000000 00:00 0 \n7f6b74a2b000-7f6b74a4a000 r-xp 00000000 fd:00 10150", ' ' <repeats 22 times>, "/lib64/ld-2.10.1.so\n7f6b74c26000-7f6b74c28000"...) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170 ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fff0e199bc0, reg_save_area = 0x7fff0e199ad0}} ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff0e199bc0, reg_save_area = 0x7fff0e199ad0}} fd = 3 on_2 = <value optimized out> list = <value optimized out> nlist = <value optimized out> cp = <value optimized out> written = 6 #3 0x00007f6b747b4797 in *__GI___fortify_fail (msg=0x7f6b747f1633 "buffer overflow detected") at fortify_fail.c:32 No locals. #4 0x00007f6b747b27f0 in *__GI___chk_fail () at chk_fail.c:29 No locals. #5 0x00007f6b747b1aab in __strncpy_chk (s1=0x0, s2=0x4762 <Address 0x4762 out of bounds>, n=6, s1len=18446744073709551615) at strncpy_chk.c:34 c = <value optimized out> #6 0x0000000000409cf4 in strncpy (__len=<value optimized out>, __src=<value optimized out>, __dest=<value optimized out>) at /usr/include/bits/string3.h:122 No locals. #7 write_out_tar_header (__len=<value optimized out>, __src=<value optimized out>, __dest=<value optimized out>) at tar.c:220 name = <value optimized out> name_len = <value optimized out> tar_rec = {header = {name = "./", '\0' <repeats 97 times>, mode = "0000775", uid = "0000764", gid = "0000764", size = '0' <repeats 11 times>, mtime = "11305167750", chksum = "\0\0\0\0\0\0\0", typeflag = 53 '5', linkname = '\0' <repeats 99 times>, magic = "ustar", version = "\0", uname = '\0' <repeats 31 times>, gname = '\0' <repeats 31 times>, devmajor = "\0\0\0\0\0\0\0", devminor = "\0\0\0\0\0\0\0", prefix = '\0' <repeats 154 times>}, buffer = "./", '\0' <repeats 98 times>, "0000775\0\60\60\60\60\67\66\64\0\60\60\60\60\67\66\64\0", '0' <repeats 11 times>, "\0\61\61\63\60\65\61\66\67\67\65\60\0\0\0\0\0\0\0\0\0\65", '\0' <repeats 100 times>, "ustar", '\0' <repeats 249 times>} #8 0x0000000000405f7a in write_out_header (file_hdr=0x7fff0e199fc0, out_des=1) at copyout.c:565 dev = <value optimized out> rdev = <value optimized out> #9 0x00000000004061be in process_copy_out () at copyout.c:800 input_name = {ds_length = 128, ds_string = 0x13a9450 "./"} file_stat = {st_dev = 64769, st_ino = 34466625, st_nlink = 5, st_mode = 16893, st_uid = 500, st_gid = 500, __pad0 = 0, st_rdev = 0, st_size = 40, st_blksize = 4096, st_blocks = 0, st_atim = {tv_sec = 1259663693, tv_nsec = 208719983}, st_mtim = {tv_sec = 1259663336, tv_nsec = 738722501}, st_ctim = {tv_sec = 1259663336, tv_nsec = 738722501}, __unused = {0, 0, 0}} file_hdr = {c_magic = 29127, c_ino = 34466625, c_mode = 16893, c_uid = 500, c_gid = 500, c_nlink = 5, c_mtime = 1259663336, c_filesize = 0, c_dev_maj = 253, c_dev_min = 1, c_rdev_maj = 0, c_rdev_min = 0, c_namesize = 3, c_chksum = 0, c_name = 0x13a9450 "./", c_tar_linkname = 0x0} in_file_des = <value optimized out> out_file_des = 1 orig_file_name = 0x13a94e0 "./" #10 0x0000000000408a41 in main (argc=5, argv=0x7fff0e19a188) at main.c:797 No locals. Current language: auto; currently minimal
aaah... I see... great, thanks a lot, that should be easy to fix...
cpio-2.9.90-6.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/cpio-2.9.90-6.fc11
The new version works fine. Thank you.
cpio-2.9.90-6.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.