Bug 596264 - Segfault when decoding DMI data in dmi_processor_id()
Segfault when decoding DMI data in dmi_processor_id()
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: python-dmidecode (Show other bugs)
5.5
All Linux
urgent Severity high
: rc
: ---
Assigned To: Roman Rakus
qe-baseos-daemons
: ZStream
Depends On: 583867
Blocks: 1058872 596133 621146 621837
  Show dependency treegraph
 
Reported: 2010-05-26 09:36 EDT by David Sommerseth
Modified: 2016-05-22 19:30 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 583867
: 621146 627901 1058872 1058873 (view as bug list)
Environment:
Last Closed: 2013-09-23 07:19:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch fixing the SEGV issue (1.47 KB, text/plain)
2010-05-26 09:58 EDT, David Sommerseth
no flags Details
strace of command (113.91 KB, application/octet-stream)
2010-08-31 09:27 EDT, Jan Ščotka
no flags Details
Patches fixing dmi_string() NULL issues (31.62 KB, text/plain)
2011-01-06 10:53 EST, David Sommerseth
no flags Details

  None (edit)
Comment 1 David Sommerseth 2010-05-26 09:58:13 EDT
Created attachment 416844 [details]
Patch fixing the SEGV issue
Comment 2 David Sommerseth 2010-05-26 10:00:47 EDT
The attached patch is sent upstream for inclusion.  Will expect an answer in a couple of days.  A new python-dmidecode version is expected to land shortly afterwards.
Comment 11 Jan Ščotka 2010-08-31 09:27:56 EDT
Created attachment 442185 [details]
strace of command

Hi,
it is same as in bug in RHEL5
https://bugzilla.redhat.com/show_bug.cgi?id=596264
Problem is propable somewhere in python-dmidecode.

when it causes Segmentation fault:
# rpm -qa python-dmidecode
python-dmidecode-3.10.12-1.el6.x86_64

used dmi binary dumped file from bug above.
some few last lines from strace:
_____________________________________________
fstat(4, {st_mode=S_IFREG|0755, st_size=185072, ...}) = 0
open("/usr/lib64/python2.6/site-packages/dmidecodemod.so", O_RDONLY) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\321\0\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=185072, ...}) = 0
mmap(NULL, 2280264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f811426f000
mprotect(0x7f8114298000, 2097152, PROT_NONE) = 0
mmap(0x7f8114498000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x29000) = 0x7f8114498000
close(5)                                = 0
open("/sys/firmware/efi/systab", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/efi/systab", O_RDONLY)      = -1 ENOENT (No such file or directory)
open("/dev/mem", O_RDONLY)              = 5
mmap(NULL, 65536, PROT_READ, MAP_SHARED, 5, 0xf0000) = 0x7f811bb06000
munmap(0x7f811bb06000, 65536)           = 0
close(5)                                = 0
close(4)                                = 0
close(3)                                = 0
stat("dmi.dmp", {st_mode=S_IFREG|0664, st_size=1755, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
open("/usr/share/python-dmidecode/pymap.xml", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f811bb15000
read(3, "<?xml version=\"1.0\" encoding=\"UT"..., 16384) = 16384
lseek(3, 0, SEEK_CUR)                   = 16384
lseek(3, 0, SEEK_SET)                   = 0
read(3, "<?xml version=\"1.0\" encoding=\"UT"..., 4096) = 4096
read(3, "ze\"/>\n      </Map>\n    </TypeMap"..., 4096) = 4096
read(3, "luetype=\"dict\">\n          <Map k"..., 4096) = 4096
read(3, "mory Module Size\"\n              "..., 4096) = 4096
read(3, "     <Map keytype=\"constant\" key"..., 4096) = 4096
brk(0x2350000)                          = 0x2350000
read(3, "nabled\"     valuetype=\"boolean\" "..., 4096) = 4096
read(3, "stant\" key=\"Data Start Offset\" v"..., 4096) = 4096
brk(0x2371000)                          = 0x2371000
read(3, "e=\"dict\">\n        <Map keytype=\""..., 4096) = 4096
read(3, "ct\">\n          <Map keytype=\"con"..., 4096) = 4096
read(3, "      valuetype=\"string\" value=\""..., 4096) = 4096
brk(0x2392000)                          = 0x2392000
read(3, "ing\" value=\"Description\"/>\n     "..., 4096) = 4096
read(3, "ement Device Threshold Data -->\n"..., 4096) = 3995
brk(0x23b3000)                          = 0x23b3000
read(3, "", 4096)                       = 0
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f811bb15000, 4096)            = 0
access("dmi.dmp", R_OK)                 = 0
open("dmi.dmp", O_RDONLY)               = 3
mmap(NULL, 32, PROT_READ, MAP_SHARED, 3, 0) = 0x7f811bb15000
munmap(0x7f811bb15000, 32)              = 0
close(3)                                = 0
open("dmi.dmp", O_RDONLY)               = 3
mmap(NULL, 1755, PROT_READ, MAP_SHARED, 3, 0) = 0x7f811bb15000
munmap(0x7f811bb15000, 1755)            = 0
close(3)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
Comment 21 David Sommerseth 2011-01-06 10:53:37 EST
Created attachment 472083 [details]
Patches fixing dmi_string() NULL issues

This is a new patch, which should solve the NULL issues we've seen related to dmi_string() in a much better way.

This patch includes the patch found in attachment #416844 [details] and a different solution for the attachment #471968 [details].

-----------------------------------------------------------------------
commit 7253bbeed7f6d00bd796019d79dc1fe0a805fa8e
Author: David Sommerseth <davids@redhat.com>
Date:   Wed May 26 15:39:19 2010 +0200

    Fixed an issue causing SEGV on some hardware when dmi_processor_id() is called
    
    The dmi_processor_id() function did not check the char *version pointer if it
    was NULL before doing strcmp().  On some hardware, *version will be NULL.


commit 10a2d8bd43934966dd842fd8f401f0d679d0d66a
Author: David Sommerseth <davids@redhat.com>
Date:   Thu Jan 6 13:44:25 2011 +0100

    Implemented dmixml_AddDMIstring()
    
    This function can be used instead of dmi_string() and
    dmixml_AddTextChild().  In those cases where dmi_string() returns
    NULL, this situation is handled more gracefully.  In addition of
    also handling "not specified" situations better as well.
    
    Signed-off-by: David Sommerseth <davids@redhat.com>


commit 734d025ce6503851447f5a3dd08b107425f8b515
Author: David Sommerseth <davids@redhat.com>
Date:   Thu Jan 6 13:47:42 2011 +0100

    Make use of dmixml_AddDMIstring() where possible
    
    This modifies the core DMI decoding to make use of the new
    dmixml_AddDMIstring() function instead of the older, more error prone
    approach of dmi_string() and dmixml_AddTextChild().
    
    Signed-off-by: David Sommerseth <davids@redhat.com>


commit d6987c53d3648d85e410ef81a343867e239eb960
Author: David Sommerseth <davids@redhat.com>
Date:   Thu Jan 6 15:56:24 2011 +0100

    Harden dmi_string() calls with better NULL checks
    
    This patch fixes more potential issues where dmi_string() results
    was not necessarily checked for NULL, which potentially could lead
    to SEGV issues.
    
    Signed-off-by: David Sommerseth <davids@redhat.com>
-----------------------------------------------------------------------

All these patches are sent upstream and commit 7253bbeed7f6d00bd796019d79dc1fe0a805fa8e is already accepted and can be found in python-dmidecode-3.10.13.

Note You need to log in before you can comment on or make changes to this bug.