Bug 86164 - Repeatable lockdev segfault (NULL pointer?)
Summary: Repeatable lockdev segfault (NULL pointer?)
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: lockdev
Version: 8.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Eido Inoue
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2003-03-15 09:54 UTC by jonny robertson
Modified: 2007-04-18 16:52 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-03-16 22:14:08 UTC

Attachments (Terms of Use)

Description jonny robertson 2003-03-15 09:54:35 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021202

Description of problem:
I guess this isn't exploitable at all, but it is a setgid binary....

[jonny@pichu jonny]$ lockdev -l
Segmentation fault
[jonny@pichu jonny]$ lockdev -u
Segmentation fault
[jonny@pichu jonny]$
[jonny@pichu jonny]$ gdb `which lockdev`
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)...
(gdb) set args -l
(gdb) r
Starting program: /usr/sbin/lockdev -l
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x4207a893 in strrchr () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207a893 in strrchr () from /lib/i686/libc.so.6
#1  0x00000000 in ?? ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y
[jonny@pichu jonny]$
[jonny@pichu jonny]$ ls -l `which lockdev`
-rwxr-sr-x    1 root     lock        12325 Jun 24  2002 /usr/sbin/lockdev
[jonny@pichu jonny]$
[jonny@pichu jonny]$ id
uid=500(jonny) gid=500(jonny) groups=500(jonny),13(news)
[jonny@pichu jonny]$

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run lockdev -u
2. or run lockdev -l  
3. with no arguments

Actual Results:  SEGV

Expected Results:  print help!?

Additional info:

Comment 1 Mark J. Cox 2003-03-16 22:14:08 UTC
This was first reported to the full-disclosure list on Nov 22 2002.  This is not
exploitable since there is no input to the program (other than the device name
but the segfault only occurs when this is missing).  However we've fixed the bug
in lockdev-1.0.0-21, but will not be issuing an errata for older releases. 
Thanks for reporting this issue.

Note You need to log in before you can comment on or make changes to this bug.