Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 86164 - Repeatable lockdev segfault (NULL pointer?)
Repeatable lockdev segfault (NULL pointer?)
Product: Red Hat Linux
Classification: Retired
Component: lockdev (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Eido Inoue
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2003-03-15 04:54 EST by jonny robertson
Modified: 2007-04-18 12:52 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-03-16 17:14:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description jonny robertson 2003-03-15 04:54:35 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021202

Description of problem:
I guess this isn't exploitable at all, but it is a setgid binary....

[jonny@pichu jonny]$ lockdev -l
Segmentation fault
[jonny@pichu jonny]$ lockdev -u
Segmentation fault
[jonny@pichu jonny]$
[jonny@pichu jonny]$ gdb `which lockdev`
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)...
(gdb) set args -l
(gdb) r
Starting program: /usr/sbin/lockdev -l
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x4207a893 in strrchr () from /lib/i686/libc.so.6
(gdb) bt
#0  0x4207a893 in strrchr () from /lib/i686/libc.so.6
#1  0x00000000 in ?? ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y
[jonny@pichu jonny]$
[jonny@pichu jonny]$ ls -l `which lockdev`
-rwxr-sr-x    1 root     lock        12325 Jun 24  2002 /usr/sbin/lockdev
[jonny@pichu jonny]$
[jonny@pichu jonny]$ id
uid=500(jonny) gid=500(jonny) groups=500(jonny),13(news)
[jonny@pichu jonny]$

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. run lockdev -u
2. or run lockdev -l  
3. with no arguments

Actual Results:  SEGV

Expected Results:  print help!?

Additional info:
Comment 1 Mark J. Cox 2003-03-16 17:14:08 EST
This was first reported to the full-disclosure list on Nov 22 2002.  This is not
exploitable since there is no input to the program (other than the device name
but the segfault only occurs when this is missing).  However we've fixed the bug
in lockdev-1.0.0-21, but will not be issuing an errata for older releases. 
Thanks for reporting this issue.

Note You need to log in before you can comment on or make changes to this bug.