Description of problem: $ guestfish -a data1.raw -m /dev/sda1 tar-out / - | guestfish -a data2.raw -m /dev/VG/LV tar-in - / *** buffer overflow detected ***: guestfish terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x328c70a697] /lib64/libc.so.6[0x328c708810] /lib64/libc.so.6[0x328c70a607] /lib64/libguestfs.so.0[0x3b9dc9f905] /lib64/libguestfs.so.0[0x3b9dca09d2] /lib64/libguestfs.so.0(guestfs_tar_in_opts_argv+0x3b8)[0x3b9dc43a58] guestfish[0x41cda1] guestfish[0x43c5a8] guestfish[0x40f0a9] /lib64/libc.so.6(__libc_start_main+0xf5)[0x328c621a05] guestfish[0x40f29d] ======= Memory map: ======== 00400000-0049a000 r-xp 00000000 fd:02 3150983 /usr/bin/guestfish 00699000-006b1000 r--p 00099000 fd:02 3150983 /usr/bin/guestfish 006b1000-006b7000 rw-p 000b1000 fd:02 3150983 /usr/bin/guestfish 006b7000-006b9000 rw-p 00000000 00:00 0 008b6000-008c2000 rw-p 000b6000 fd:02 3150983 /usr/bin/guestfish 009da000-00e25000 rw-p 00000000 00:00 0 [heap] 328c200000-328c220000 r-xp 00000000 fd:02 3145998 /usr/lib64/ld-2.16.so 328c420000-328c421000 r--p 00020000 fd:02 3145998 /usr/lib64/ld-2.16.so 328c421000-328c422000 rw-p 00021000 fd:02 3145998 /usr/lib64/ld-2.16.so 328c422000-328c423000 rw-p 00000000 00:00 0 328c600000-328c7ad000 r-xp 00000000 fd:02 3146115 /usr/lib64/libc-2.16.so 328c7ad000-328c9ad000 ---p 001ad000 fd:02 3146115 /usr/lib64/libc-2.16.so 328c9ad000-328c9b1000 r--p 001ad000 fd:02 3146115 /usr/lib64/libc-2.16.so 328c9b1000-328c9b3000 rw-p 001b1000 fd:02 3146115 /usr/lib64/libc-2.16.so 328c9b3000-328c9b8000 rw-p 00000000 00:00 0 328ca00000-328ca16000 r-xp 00000000 fd:02 3146197 /usr/lib64/libpthread-2.16.so 328ca16000-328cc16000 ---p 00016000 fd:02 3146197 /usr/lib64/libpthread-2.16.so 328cc16000-328cc17000 r--p 00016000 fd:02 3146197 /usr/lib64/libpthread-2.16.so 328cc17000-328cc18000 rw-p 00017000 fd:02 3146197 /usr/lib64/libpthread-2.16.so 328cc18000-328cc1c000 rw-p 00000000 00:00 0 328ce00000-328cf00000 r-xp 00000000 fd:02 3146939 /usr/lib64/libm-2.16.so 328cf00000-328d0ff000 ---p 00100000 fd:02 3146939 /usr/lib64/libm-2.16.so 328d0ff000-328d100000 r--p 000ff000 fd:02 3146939 /usr/lib64/libm-2.16.so 328d100000-328d101000 rw-p 00100000 fd:02 3146939 /usr/lib64/libm-2.16.so 328d200000-328d203000 r-xp 00000000 fd:02 3146513 /usr/lib64/libdl-2.16.so 328d203000-328d402000 ---p 00003000 fd:02 3146513 /usr/lib64/libdl-2.16.so 328d402000-328d403000 r--p 00002000 fd:02 3146513 /usr/lib64/libdl-2.16.so 328d403000-328d404000 rw-p 00003000 fd:02 3146513 /usr/lib64/libdl-2.16.so 328d600000-328d607000 r-xp 00000000 fd:02 3146293 /usr/lib64/librt-2.16.so 328d607000-328d806000 ---p 00007000 fd:02 3146293 /usr/lib64/librt-2.16.so 328d806000-328d807000 r--p 00006000 fd:02 3146293 /usr/lib64/librt-2.16.so 328d807000-328d808000 rw-p 00007000 fd:02 3146293 /usr/lib64/librt-2.16.so 328da00000-328da15000 r-xp 00000000 fd:02 3146659 /usr/lib64/libz.so.1.2.7 328da15000-328dc14000 ---p 00015000 fd:02 3146659 /usr/lib64/libz.so.1.2.7 328dc14000-328dc15000 r--p 00014000 fd:02 3146659 /usr/lib64/libz.so.1.2.7 328dc15000-328dc16000 rw-p 00015000 fd:02 3146659 /usr/lib64/libz.so.1.2.7 328de00000-328de15000 r-xp 00000000 fd:02 3149181 /usr/lib64/libgcc_s-4.7.2-20121109.so.1 328de15000-328e014000 ---p 00015000 fd:02 3149181 /usr/lib64/libgcc_s-4.7.2-20121109.so.1 328e014000-328e015000 r--p 00014000 fd:02 3149181 /usr/lib64/libgcc_s-4.7.2-20121109.so.1 328e015000-328e016000 rw-p 00015000 fd:02 3149181 /usr/lib64/libgcc_s-4.7.2-20121109.so.1 328e200000-328e25c000 r-xp 00000000 fd:02 3146664 /usr/lib64/libpcre.so.1.0.1 328e25c000-328e45c000 ---p 0005c000 fd:02 3146664 /usr/lib64/libpcre.so.1.0.1 328e45c000-328e45d000 r--p 0005c000 fd:02 3146664 /usr/lib64/libpcre.so.1.0.1 328e45d000-328e45e000 rw-p 0005d000 fd:02 3146664 /usr/lib64/libpcre.so.1.0.1 328ea00000-328ea0b000 r-xp 00000000 fd:02 3150319 /usr/lib64/libconfig.so.9.1.2 328ea0b000-328ec0a000 ---p 0000b000 fd:02 3150319 /usr/lib64/libconfig.so.9.1.2 328ec0a000-328ec0b000 r--p 0000a000 fd:02 3150319 /usr/lib64/libconfig.so.9.1.2 328ec0b000-328ec0c000 rw-p 0000b000 fd:02 3150319 /usr/lib64/libconfig.so.9.1.2 328ee00000-328ee16000 r-xp 00000000 fd:02 3146761 /usr/lib64/libresolv-2.16.so 328ee16000-328f015000 ---p 00016000 fd:02 3146761 /usr/lib64/libresolv-2.16.so 328f015000-328f016000 r--p 00015000 fd:02 3146761 /usr/lib64/libresolv-2.16.so 328f016000-328f017000 rw-p 00016000 fd:02 3146761 /usr/lib64/libresolv-2.16.so 328f017000-328f019000 rw-p 00000000 00:00 0 3290e00000-3290e3c000 r-xp 00000000 fd:02 3150332 /usr/lib64/libreadline.so.6.2 3290e3c000-329103b000 ---p 0003c000 fd:02 3150332 /usr/lib64/libreadline.so.6.2 329103b000-329103d000 r--p 0003b000 fd:02 3150332 /usr/lib64/libreadline.so.6.2 329103d000-3291043000 rw-p 0003d000 fd:02 3150332 /usr/lib64/libreadline.so.6.2 3291043000-3291045000 rw-p 00000000 00:00 0 3291600000-3291602000 r-xp 00000000 fd:02 3149180 /usr/lib64/libsystemd-daemon.so.0.0.7 3291602000-3291802000 ---p 00002000 fd:02 3149180 /usr/lib64/libsystemd-daemon.so.0.0.7 3291802000-3291803000 r--p 00002000 fd:02 3149180 /usr/lib64/libsystemd-daemon.so.0.0.7 3291803000-3291804000 rw-p 00000000 00:00 0 3291e00000-3291e44000 r-xp 00000000 fd:02 3149218 /usr/lib64/libdbus-1.so.3.7.2 3291e44000-3292043000 ---p 00044000 fd:02 3149218 /usr/lib64/libdbus-1.so.3.7.2 3292043000-3292044000 r--p 00043000 fd:02 3149218 /usr/lib64/libdbus-1.so.3.7.2libguestfs: error: /dev/stdout: write: Broken pipe libguestfs: error: file receive cancelled by daemon Aborted (core dumped) Version-Release number of selected component (if applicable): libguestfs-tools-c-1.20.2-5.fc18.x86_64 How reproducible: 100% Steps to Reproduce: 1. See command above.
Full stack trace: #0 0x000000328c635ba5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63 #1 0x000000328c637358 in __GI_abort () at abort.c:90 #2 0x000000328c67559b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x328c7787ff "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:197 #3 0x000000328c70a697 in __GI___fortify_fail ( msg=msg@entry=0x328c7787a5 "buffer overflow detected") at fortify_fail.c:31 #4 0x000000328c708810 in __GI___chk_fail () at chk_fail.c:28 #5 0x000000328c70a607 in __fdelt_chk (d=<optimized out>) at fdelt_chk.c:25 #6 0x0000003b9dc9f905 in recv_from_daemon (buf_rtn=0x7fffa4284aa8, size_rtn=0x7fffa4284aa4, g=0x9731e0) at proto.c:498 #7 guestfs___recv_from_daemon (g=g@entry=0x9731e0, size_rtn=size_rtn@entry=0x7fffa4284aa4, buf_rtn=buf_rtn@entry=0x7fffa4284aa8) at proto.c:659 #8 0x0000003b9dca09d2 in guestfs___recv_discard (g=g@entry=0x9731e0, fn=fn@entry=0x3b9dcbb530 "tar_in") at proto.c:1047 #9 0x0000003b9dc43a58 in guestfs_tar_in_opts_argv (g=0x9731e0, tarfile=tarfile@entry=0x965dc0 "/dev/stdin", directory=directory@entry=0x96b970 "/", optargs=<optimized out>, optargs@entry=0x7fffa4284c00) at actions-3.c:2583 #10 0x000000000041cda1 in run_tar_in (cmd=0x7fffa428536e "tar-in", argc=2, argv=<optimized out>) at cmds.c:8992 #11 0x000000000043c5a8 in issue_command (cmd=0x7fffa428536e "tar-in", argv=0x7fffa4284ef8, pipecmd=pipecmd@entry=0x0, rc_exit_on_error_flag=rc_exit_on_error_flag@entry=1) at fish.c:1140 #12 0x000000000040f0a9 in cmdline (argc=10, optind=10, argv=<optimized out>) at fish.c:1043 #13 main (argc=<optimized out>, argv=0x7fffa4284eb8) at fish.c:561
(gdb) frame 8 #8 0x0000003b9dca09d2 in guestfs___recv_discard (g=g@entry=0x9731e0, fn=fn@entry=0x3b9dcbb530 "tar_in") at proto.c:1047 1047 r = guestfs___recv_from_daemon (g, &size, &buf); (gdb) print size $1 = 0 (gdb) print buf $2 = (void *) 0x0
Ignore comment 2. The real error is because g->sock == -1, causing an attempt to set the -1'th element of an fd_set: (gdb) frame 6 #6 0x0000003b9dc9f905 in recv_from_daemon (buf_rtn=0x7fffa4284aa8, size_rtn=0x7fffa4284aa4, g=0x9731e0) at proto.c:498 498 FD_SET (g->sock, &rset); /* Read socket for data & EOF. */ (gdb) print rset $3 = {fds_bits = {0 <repeats 16 times>}} (gdb) print g->sock $4 = -1
Slightly unexpected, but it turns out the cause of this is an oom error in guestfsd causing the appliance to die. Since there are now *two* bugs, I've opened another one (bug 914934).
Fixed in these commits: https://github.com/libguestfs/libguestfs/commit/7953128ca66207a7a3ca44e02fec1de48253223e https://github.com/libguestfs/libguestfs/commit/4136850f3ced2c8da6ca4f44c0f80881cb6d1352