Created attachment 451139 [details] core file Description of problem: When calling hal-disable-pooling --device /dev/cdrom you obtain a buffer overflow overflow Note : ls -la /dev/cdrom lrwxrwxrwx. 1 root root 3 Oct 2 00:21 /dev/cdrom -> sr0 If you call it with /dev/sr0 it behaves as expected. If you call it with /dev/cdrom you get: /usr/bin/hal-disable-polling --device /dev/cdrom *** buffer overflow detected ***: /usr/bin/hal-disable-polling terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fed911642a7] /lib64/libc.so.6(+0xf91a0)[0x7fed911621a0] /lib64/libc.so.6(+0xf97eb)[0x7fed911627eb] /usr/bin/hal-disable-polling[0x40149a] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fed91087c5d] /usr/bin/hal-disable-polling[0x400e59] ======= Memory map: ======== 00400000-00403000 r-xp 00000000 fd:00 1757162 /usr/bin/hal-disable-polling 00602000-00603000 rw-p 00002000 fd:00 1757162 /usr/bin/hal-disable-polling 01452000-01473000 rw-p 00000000 00:00 0 [heap] 3654c00000-3654cfb000 r-xp 00000000 fd:00 1178029 /lib64/libglib-2.0.so.0.2400.1 3654cfb000-3654efa000 ---p 000fb000 fd:00 1178029 /lib64/libglib-2.0.so.0.2400.1 3654efa000-3654efc000 rw-p 000fa000 fd:00 1178029 /lib64/libglib-2.0.so.0.2400.1 3657c00000-3657c40000 r-xp 00000000 fd:00 1178038 /lib64/libdbus-1.so.3.4.0 3657c40000-3657e3f000 ---p 00040000 fd:00 1178038 /lib64/libdbus-1.so.3.4.0 3657e3f000-3657e40000 r--p 0003f000 fd:00 1178038 /lib64/libdbus-1.so.3.4.0 3657e40000-3657e41000 rw-p 00040000 fd:00 1178038 /lib64/libdbus-1.so.3.4.0 3658400000-3658410000 r-xp 00000000 fd:00 1711617 /usr/lib64/libhal.so.1.0.0 3658410000-365860f000 ---p 00010000 fd:00 1711617 /usr/lib64/libhal.so.1.0.0 365860f000-3658610000 rw-p 0000f000 fd:00 1711617 /usr/lib64/libhal.so.1.0.0 7fed90c4b000-7fed90c61000 r-xp 00000000 fd:00 1177346 /lib64/libgcc_s-4.4.4-20100630.so.1 7fed90c61000-7fed90e60000 ---p 00016000 fd:00 1177346 /lib64/libgcc_s-4.4.4-20100630.so.1 7fed90e60000-7fed90e61000 rw-p 00015000 fd:00 1177346 /lib64/libgcc_s-4.4.4-20100630.so.1 7fed90e61000-7fed90e68000 r-xp 00000000 fd:00 1177386 /lib64/librt-2.12.1.so 7fed90e68000-7fed91067000 ---p 00007000 fd:00 1177386 /lib64/librt-2.12.1.so 7fed91067000-7fed91068000 r--p 00006000 fd:00 1177386 /lib64/librt-2.12.1.so 7fed91068000-7fed91069000 rw-p 00007000 fd:00 1177386 /lib64/librt-2.12.1.so 7fed91069000-7fed911de000 r-xp 00000000 fd:00 1177358 /lib64/libc-2.12.1.so 7fed911de000-7fed913de000 ---p 00175000 fd:00 1177358 /lib64/libc-2.12.1.so 7fed913de000-7fed913e2000 r--p 00175000 fd:00 1177358 /lib64/libc-2.12.1.so 7fed913e2000-7fed913e3000 rw-p 00179000 fd:00 1177358 /lib64/libc-2.12.1.so 7fed913e3000-7fed913e8000 rw-p 00000000 00:00 0 7fed913e8000-7fed913ff000 r-xp 00000000 fd:00 1177382 /lib64/libpthread-2.12.1.so 7fed913ff000-7fed915fe000 ---p 00017000 fd:00 1177382 /lib64/libpthread-2.12.1.so 7fed915fe000-7fed915ff000 r--p 00016000 fd:00 1177382 /lib64/libpthread-2.12.1.so 7fed915ff000-7fed91600000 rw-p 00017000 fd:00 1177382 /lib64/libpthread-2.12.1.so 7fed91600000-7fed91604000 rw-p 00000000 00:00 0 7fed91604000-7fed91622000 r-xp 00000000 fd:00 1177352 /lib64/ld-2.12.1.so 7fed91805000-7fed9180a000 rw-p 00000000 00:00 0 7fed91821000-7fed91822000 rw-p 00000000 00:00 0 7fed91822000-7fed91823000 r--p 0001e000 fd:00 1177352 /lib64/ld-2.12.1.so 7fed91823000-7fed91824000 rw-p 0001f000 fd:00 1177352 /lib64/ld-2.12.1.so 7fed91824000-7fed91825000 rw-p 00000000 00:00 0 7ffff453e000-7ffff455f000 rw-p 00000000 00:00 0 [stack] 7ffff45bc000-7ffff45bd000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] #0 0x00007fc772fc89a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig); (gdb) bt #0 0x00007fc772fc89a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007fc772fca185 in abort () at abort.c:92 #2 0x00007fc773005d5b in __libc_message (do_abort=2, fmt=0x7fc7730d8786 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186 #3 0x00007fc7730912a7 in __fortify_fail (msg=0x7fc7730d872c "buffer overflow detected") at fortify_fail.c:32 #4 0x00007fc77308f1a0 in __chk_fail () at chk_fail.c:29 #5 0x00007fc77308f7eb in __realpath_chk (buf=0xc77 <Address 0xc77 out of bounds>, resolved=0xc77 <Address 0xc77 out of bounds>, resolvedlen=6) at realpath_chk.c:30 #6 0x000000000040149a in realpath (argc=<value optimized out>, argv=<value optimized out>) at /usr/include/bits/stdlib.h:46 #7 main (argc=<value optimized out>, argv=<value optimized out>) at hal-disable-polling.c:189 (gdb) bt full #0 0x00007fc772fc89a5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 resultvar = 0 pid = <value optimized out> selftid = 3191 #1 0x00007fc772fca185 in abort () at abort.c:92 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7fffcd0bfa28, sa_sigaction = 0x7fffcd0bfa28}, sa_mask = {__val = {140736633502224, 140736633514142, 19, 140494605485861, 3, 140736633502234, 6, 140494605485865, 2, 140736633502222, 2, 140494605479172, 1, 140494605485861, 3, 140736633502228}}, sa_flags = 12, sa_restorer = 0x7fc7730d8729} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007fc773005d5b in __libc_message (do_abort=2, fmt=0x7fc7730d8786 "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:186 ap = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffcd0c0310, reg_save_area = 0x7fffcd0c0220}} ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffcd0c0310, reg_save_area = 0x7fffcd0c0220}} fd = 4 on_2 = <value optimized out> list = <value optimized out> nlist = <value optimized out> cp = <value optimized out> written = <value optimized out> #3 0x00007fc7730912a7 in __fortify_fail (msg=0x7fc7730d872c "buffer overflow detected") at fortify_fail.c:32 No locals. #4 0x00007fc77308f1a0 in __chk_fail () at chk_fail.c:29 No locals. #5 0x00007fc77308f7eb in __realpath_chk (buf=0xc77 <Address 0xc77 out of bounds>, resolved=0xc77 <Address 0xc77 out of bounds>, resolvedlen=6) at realpath_chk.c:30 No locals. #6 0x000000000040149a in realpath (argc=<value optimized out>, argv=<value optimized out>) at /usr/include/bits/stdlib.h:46 No locals. #7 main (argc=<value optimized out>, argv=<value optimized out>) at hal-disable-polling.c:189 real_device = "hVss\307\177\000\000\b\000\000\000\000\000\000\000.N=\366\000\000\000\000`\253Ss\307\177\000\000\001\000\000\000\377\177\000\000\070\365\330\003\000\000\000\000.\000\000\000\000\000\000\000L\232\371r\307\177\000\000\000\000\000\000\000\000\000\000\260\005\f\315\377\177\000\000@\234\371r\307\177\000\000h[\372r\307\177\000\000\020\006\f\315\377\177\000\000\270\026us\307\177\000\000_g\rs\307\177\000\000\060\362\037\315\377\177\000\000\340\005\f\315\377\177\000\000\000\000\000\000\000\000\000\000(\021us\307\177\000\000\000\000\000\000\000\000\000\000\310Vss\307\177\000\000\220iss\307\177\000\000\361&`\000\000\000\000\000 g\372r\307\177\000\000\360\003@\000\000\000\000\000\000\000\000\000\001\000\000\000\367\a\000\000\001\000\000\000\372\255Ss\307\177\000\000\000\000\000\000\000\000\000\000\200\024us\307\177\000\000\000\006\f\315\377\177"... devices = 0x18633e0 num_devices = 0 n = <value optimized out> udi = <value optimized out> ---Type <return> to continue, or q <return> to quit--- device = <value optimized out> is_version = <value optimized out> enable_polling = <value optimized out> error = {name = 0x0, message = 0x0, dummy1 = 1, dummy2 = 0, dummy3 = 0, dummy4 = 0, dummy5 = 0, padding1 = 0x7fffcd0c0370} hal_ctx = 0x1863030 f = <value optimized out> filename = <value optimized out> basename = <value optimized out> (gdb) info registers rax 0x0 0 rbx 0x0 0 rcx 0xffffffffffffffff -1 rdx 0x6 6 rsi 0xc77 3191 rdi 0xc77 3191 rbp 0x7fffcd0c0300 0x7fffcd0c0300 rsp 0x7fffcd0bf938 0x7fffcd0bf938 r8 0x7fc7730d1000 140494605455360 r9 0x602480 6300800 r10 0x8 8 r11 0x206 518 r12 0x5 5 r13 0x7fffcd0bfbe0 140736633502688 r14 0x41 65 r15 0x5 5 rip 0x7fc772fc89a5 0x7fc772fc89a5 <raise+53> eflags 0x206 [ PF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 Version-Release number of selected component (if applicable): rpm -qi hal Name : hal Relocations: (not relocatable) Version : 0.5.14 Vendor: Fedora Project Release : 3.fc13 Build Date: Mon 29 Mar 2010 09:20:35 PM EEST Install Date: Fri 28 May 2010 12:01:29 AM EEST Build Host: x86-03.phx2.fedoraproject.org Group : System Environment/Libraries Source RPM: hal-0.5.14-3.fc13.src.rpm Size : 1265930 License: AFL or GPLv2 Signature : RSA/SHA256, Mon 29 Mar 2010 09:49:44 PM EEST, Key ID 7edc6ad6e8e40fde Packager : Fedora Project URL : http://www.freedesktop.org/Software/hal Summary : Hardware Abstraction Layer How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
*** This bug has been marked as a duplicate of bug 554886 ***