635559 – buffer overflow in star revisited

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 635559 - buffer overflow in star revisited

Summary: buffer overflow in star revisited

Keywords:
Status:	CLOSED DUPLICATE of bug 611402
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	star
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ondrej Vasik
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	632384
Blocks:
TreeView+	depends on / blocked

Reported:	2010-09-20 07:31 UTC by Ondrej Vasik
Modified:	2011-06-03 10:30 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	632384
Environment:
Last Closed:	2011-06-03 10:30:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ondrej Vasik 2010-09-20 07:31:01 UTC

+++ This bug was initially created as a clone of Bug #632384 +++

Description of problem:


same as bug 556664 for f12

my stacktrace :

*** buffer overflow detected ***: star terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x2e3fcd]
/lib/libc.so.6[0x2e1ffa]
/lib/libc.so.6(__strcpy_chk+0x44)[0x2e12d4]
star[0x806e15d]
star[0x805d9e4]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805e7fe]
star[0x805eb7f]
star[0x804c201]
star[0x804ecbb]
/lib/libc.so.6(__libc_start_main+0xe6)[0x202cc6]
star[0x804a121]
======= Memory map: ========
001ca000-001e8000 r-xp 00000000 fd:00 5450       /lib/ld-2.12.so
001e8000-001e9000 r--p 0001d000 fd:00 5450       /lib/ld-2.12.so
001e9000-001ea000 rw-p 0001e000 fd:00 5450       /lib/ld-2.12.so
001ec000-00371000 r-xp 00000000 fd:00 5452       /lib/libc-2.12.so
00371000-00372000 ---p 00185000 fd:00 5452       /lib/libc-2.12.so
00372000-00374000 r--p 00185000 fd:00 5452       /lib/libc-2.12.so
00374000-00375000 rw-p 00187000 fd:00 5452       /lib/libc-2.12.so
00375000-00378000 rw-p 00000000 00:00 0
00397000-0039a000 r-xp 00000000 fd:00 5760       /lib/libdl-2.12.so
0039a000-0039b000 r--p 00002000 fd:00 5760       /lib/libdl-2.12.so
0039b000-0039c000 rw-p 00003000 fd:00 5760       /lib/libdl-2.12.so
004ec000-00508000 r-xp 00000000 fd:00 7590       /lib/libselinux.so.1
00508000-00509000 r--p 0001b000 fd:00 7590       /lib/libselinux.so.1
00509000-0050a000 rw-p 0001c000 fd:00 7590       /lib/libselinux.so.1
00652000-0065e000 r-xp 00000000 fd:00 5461       /lib/libnss_files-2.12.so
0065e000-0065f000 r--p 0000b000 fd:00 5461       /lib/libnss_files-2.12.so
0065f000-00660000 rw-p 0000c000 fd:00 5461       /lib/libnss_files-2.12.so
00810000-00817000 r-xp 00000000 fd:00 12902      /lib/libacl.so.1.1.0
00817000-00818000 rw-p 00006000 fd:00 12902      /lib/libacl.so.1.1.0
0098e000-00994000 r-xp 00000000 fd:00 69172      /lib/libnss_winbind.so.2
00994000-00995000 rw-p 00006000 fd:00 69172      /lib/libnss_winbind.so.2
00995000-0099a000 rw-p 00000000 00:00 0
00ba3000-00ba4000 r-xp 00000000 00:00 0          [vdso]
00deb000-00def000 r-xp 00000000 fd:00 11351      /lib/libattr.so.1.1.0
00def000-00df0000 rw-p 00003000 fd:00 11351      /lib/libattr.so.1.1.0
05459000-05476000 r-xp 00000000 fd:00 7671       /lib/libgcc_s-4.4.4-20100630.so.1
05476000-05477000 rw-p 0001d000 fd:00 7671       /lib/libgcc_s-4.4.4-20100630.so.1
08047000-08097000 r-xp 00000000 fd:00 33236      /usr/bin/star
08097000-0809a000 rw-p 0004f000 fd:00 33236      /usr/bin/star
0809a000-080b0000 rw-p 00000000 00:00 0
0901f000-09040000 rw-p 00000000 00:00 0          [heap]
6f767000-9f76b000 rw-p 00000000 00:00 0
9f76b000-b7788000 rw-s 00000000 00:04 29415      /dev/zero (deleted)
b7788000-b778a000 rw-p 00000000 00:00 0
b7799000-b779b000 rw-p 00000000 00:00 0
bfd6d000-bfdbb000 rw-p 00000000 00:00 0          [stack]

invoking command :

star -c -v -time -fifostats -multivol VOLHDR="2010_09_09__18_37 DATA" new-volume-script=/rbin/mtchgR.pl f=/dev/nst0 H=exustar -xfflags -xattr -sparse fs=384m errctl=/tmp/s2t.61pDJmbmKd -C /srv/save samba grass streeruwitz IMG2

/tmp/s2t.61pDJmbmKd :

GETXATTR *
GETACL *
READLINK *
MISSLINK *
SPECIALFILE *

last path processed :

a samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip/mz_2002_1_quartal_metadaten_forschung_und_lehre_LatestReleased_021828.zip 2137684 bytes, 4176 tape blocks

yield ERRNO 134

------------------------

rpm -qv star : star-1.5.1-2.fc13.i686

/usr/bin/star --version : star: star 1.5.1 (i686-redhat-linux-gnu)

coredump-file (abrt) available upon request ;-))

--- Additional comment from ovasik on 2010-09-11 07:18:09 EDT ---

Thanks for report - I don't think that this is dupe of #556664 - as that bug was fixed in f13 branch as well ... see http://pkgs.fedoraproject.org/gitweb/?p=star.git;a=shortlog;h=refs/heads/f13/master and changelog of star-1.5.1-2.fc13 package. Maybe another instance or incomplete fix...

Could you please provide backtrace with star debuginfo installed? TIA.

--- Additional comment from wolfgang.pichler.ac.at on 2010-09-11 08:01:26 EDT ---

#0  0x00ba3416 in __kernel_vsyscall ()
#1  0x00216d11 in raise () from /lib/libc.so.6
#2  0x002185ea in abort () from /lib/libc.so.6
#3  0x00254b9d in __libc_message () from /lib/libc.so.6
#4  0x002e3fcd in __fortify_fail () from /lib/libc.so.6
#5  0x002e1ffa in __chk_fail () from /lib/libc.so.6
#6  0x002e12d4 in __strcpy_chk () from /lib/libc.so.6
#7  0x0806e15d in strcpy (info=0xbfd9216c, ptb=0xbfd91eec)
    at /usr/include/bits/string3.h:107
#8  name_to_tcb (info=0xbfd9216c, ptb=0xbfd91eec) at longnames.c:201
#9  0x0805d9e4 in createi (
    sname=0xbfd9425a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip/mz_2004_2_quartal_metadaten_arbeitsorganisation_und_arbeitszeitgestaltung__LatestReleased_021833.zip",
    name=0xbfd9425a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip/mz_2004_2_quartal_metadaten_arbeitsorganisation_und_arbeitszeitgestaltung__LatestReleased_021833.zip", namlen=169, info=0xbfd9216c, last=0xbfd92234)
    at create.c:556
#10 0x0805e7fe in put_dir (
    sname=0xbfd985ca "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip", name=<value optimized out>, namlen=69, info=0xbfd964dc,
    last=0xbfd965a4) at create.c:1648
#11 createi (
    sname=0xbfd985ca "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus/zip", name=<value optimized out>, namlen=69, info=0xbfd964dc,
    last=0xbfd965a4) at create.c:580
#12 0x0805e7fe in put_dir (
    sname=0xbfd9c93a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus", name=<value optimized out>, namlen=65, info=0xbfd9a84c,
    last=0xbfd9a914) at create.c:1648
#13 createi (
    sname=0xbfd9c93a "samba/public/other/Leth/PENDOways2go/DATEN/testdaten/Mikrozensus", name=<value optimized out>, namlen=65, info=0xbfd9a84c,
    last=0xbfd9a914) at create.c:580
#14 0x0805e7fe in put_dir (
    sname=0xbfda0caa "samba/public/other/Leth/PENDOways2go/DATEN/testdaten",
    name=<value optimized out>, namlen=53, info=0xbfd9ebbc, last=0xbfd9ec84)
    at create.c:1648
#15 createi (
    sname=0xbfda0caa "samba/public/other/Leth/PENDOways2go/DATEN/testdaten",
    name=<value optimized out>, namlen=53, info=0xbfd9ebbc, last=0xbfd9ec84)
    at create.c:580
#16 0x0805e7fe in put_dir (
    sname=0xbfda501a "samba/public/other/Leth/PENDOways2go/DATEN",
    name=<value optimized out>, namlen=43, info=0xbfda2f2c, last=0xbfda2ff4)
    at create.c:1648
#17 createi (sname=0xbfda501a "samba/public/other/Leth/PENDOways2go/DATEN",
    name=<value optimized out>, namlen=43, info=0xbfda2f2c, last=0xbfda2ff4)
    at create.c:580
#18 0x0805e7fe in put_dir (
    sname=0xbfda938a "samba/public/other/Leth/PENDOways2go",
    name=<value optimized out>, namlen=37, info=0xbfda729c, last=0xbfda7364)
    at create.c:1648
#19 createi (sname=0xbfda938a "samba/public/other/Leth/PENDOways2go",
    name=<value optimized out>, namlen=37, info=0xbfda729c, last=0xbfda7364)
    at create.c:580
#20 0x0805e7fe in put_dir (sname=0xbfdad6fa "samba/public/other/Leth",
    name=<value optimized out>, namlen=24, info=0xbfdab60c, last=0xbfdab6d4)
    at create.c:1648
#21 createi (sname=0xbfdad6fa "samba/public/other/Leth",
    name=<value optimized out>, namlen=24, info=0xbfdab60c, last=0xbfdab6d4)
    at create.c:580
#22 0x0805e7fe in put_dir (sname=0xbfdb1a6a "samba/public/other",
    name=<value optimized out>, namlen=19, info=0xbfdaf97c, last=0xbfdafa44)
    at create.c:1648
#23 createi (sname=0xbfdb1a6a "samba/public/other",
    name=<value optimized out>, namlen=19, info=0xbfdaf97c, last=0xbfdafa44)
    at create.c:580
#24 0x0805e7fe in put_dir (sname=0xbfdb5dda "samba/public",
    name=<value optimized out>, namlen=13, info=0xbfdb3cec, last=0xbfdb3db4)
    at create.c:1648
#25 createi (sname=0xbfdb5dda "samba/public", name=<value optimized out>,
    namlen=13, info=0xbfdb3cec, last=0xbfdb3db4) at create.c:580
#26 0x0805e7fe in put_dir (sname=0xbfdba338 "samba",
    name=<value optimized out>, namlen=6, info=0xbfdb8018, last=0x0)
    at create.c:1648
#27 createi (sname=0xbfdba338 "samba", name=<value optimized out>, namlen=6,
    info=0xbfdb8018, last=0x0) at create.c:580
#28 0x0805eb7f in create (name=0xbfdba338 "samba", Hflag=0, forceadd=0)
    at create.c:472
#29 0x0804c201 in star_create (ac=4, av=0xbfdb8388) at star.c:775
#30 0x0804ecbb in main (ac=21, av=0xbfdb8344) at star.c:546


greez w

--- Additional comment from ovasik on 2010-09-13 10:51:42 EDT ---

Thanks, so it is same issue but on different line ... will fix that soon...

--- Additional comment from wolfgang.pichler.ac.at on 2010-09-13 15:48:30 EDT ---

great
next run of star is scheduled thu 18:00 mest ;-))

--- Additional comment from updates on 2010-09-15 10:06:19 EDT ---

star-1.5.1-4.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/star-1.5.1-4.fc14

--- Additional comment from updates on 2010-09-15 10:08:17 EDT ---

star-1.5.1-4.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/star-1.5.1-4.fc13

--- Additional comment from updates on 2010-09-15 18:33:13 EDT ---

star-1.5.1-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update star'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/star-1.5.1-4.fc13

--- Additional comment from wolfgang.pichler.ac.at on 2010-09-16 03:46:42 EDT ---

(In reply to comment #7)

thank you for the fast patch - i'll test it today /w apporx 700gb ...

Comment 2 Suzanne Logcher 2011-02-15 21:42:47 UTC

This issue was proposed for RHEL 6.1 FasTrack but did not get resolved in time.
It has been moved to RHEL 6.2 FasTrack.

Comment 3 wolfgang pichler 2011-02-16 06:31:15 UTC

bug is not more reproducible since upgrade to fc14

i suppose eof-handling change in st-driver-code was improved so star was not disrupted by funny things bumped up from this special dlt-v4 device i use with star ...
... but i have no evidence for this : it is an assumption, not more

i would suggest to close the bug
if it occurs again i am prepared to reopen it again and we can start over again

Comment 4 Ondrej Vasik 2011-02-16 07:12:11 UTC

That bugzilla is about RHEL-6 - and is tracking the issue there. In RHEL-6 it was still not fixed because of the limited capacity for updates. Of course, in Fedora it is already fixed for a long time. Feel free to remove yourself from the CC list if you are not interested in watching the situation for RHEL-6.

Comment 7 Ondrej Vasik 2011-06-03 10:30:39 UTC

Could be considered as duplicate - as these two are closely related (same issue but on different places of source code) ... let's simplify it and mark it as dup.

*** This bug has been marked as a duplicate of bug 611402 ***

Note You need to log in before you can comment on or make changes to this bug.