Re: [LTP] `buffer overflow detected' from ftest0[37] with glibc 2.10

Sat, 30 Jan 2010 15:01:30 -0800 

Garrett,

I see this issue all the time, since the July 2009 release.

kdl

On Fri, Jan 29, 2010 at 9:29 PM, Garrett Cooper <[email protected]> wrote:

> Hi,
>    I've been seeing the following messages when ftest03 and ftest07
> are executed on a regular basis as of late (may be due to a recent
> glibc upgrade):
>
> *** buffer overflow detected ***: ftest03 terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x37)[0x7f100b0c3867]
> /lib/libc.so.6[0x7f100b0c1680]
> /lib/libc.so.6[0x7f100b0c0979]
> /lib/libc.so.6(_IO_default_xsputn+0x85)[0x7f100b04ef25]
> /lib/libc.so.6(_IO_vfprintf+0x1fed)[0x7f100b0216dd]
> /lib/libc.so.6(__vsprintf_chk+0x9d)[0x7f100b0c0a1d]
> /lib/libc.so.6(__sprintf_chk+0x80)[0x7f100b0c0960]
> ftest03[0x401f05]
> ftest03[0x402a76]
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7f100affba26]
> ftest03[0x401d59]
> ======= Memory map: ========
> 00400000-00408000 r-xp 00000000 fd:03 74957
>  /tmp/tmp.9O93FRsMhN/ltp/testcases/bin/ftest03
> 00608000-00609000 r--p 00008000 fd:03 74957
>  /tmp/tmp.9O93FRsMhN/ltp/testcases/bin/ftest03
> 00609000-0060a000 rw-p 00009000 fd:03 74957
>  /tmp/tmp.9O93FRsMhN/ltp/testcases/bin/ftest03
> 0060a000-0060f000 rw-p 00000000 00:00 0
> 01f91000-01fb2000 rw-p 00000000 00:00 0
>  [heap]
> 7f100adc6000-7f100addc000 r-xp 00000000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f100addc000-7f100afdb000 ---p 00016000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f100afdb000-7f100afdc000 r--p 00015000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f100afdc000-7f100afdd000 rw-p 00016000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f100afdd000-7f100b12c000 r-xp 00000000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f100b12c000-7f100b32c000 ---p 0014f000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f100b32c000-7f100b330000 r--p 0014f000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f100b330000-7f100b331000 rw-p 00153000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f100b331000-7f100b336000 rw-p 00000000 00:00 0
> 7f100b336000-7f100b353000 r-xp 00000000 fd:03 5871
>  /lib64/ld-2.10.1.so
> 7f100b536000-7f100b538000 rw-p 00000000 00:00 0
> 7f100b550000-7f100b552000 rw-p 00000000 00:00 0
> 7f100b552000-7f100b553000 r--p 0001c000 fd:03 5871
>  /lib64/ld-2.10.1.so
> 7f100b553000-7f100b554000 rw-p 0001d000 fd:03 5871
>  /lib64/ld-2.10.1.so
> 7fffe07b0000-7fffe07c5000 rw-p 00000000 00:00 0
>  [stack]
> 7fffe07ff000-7fffe0800000 r-xp 00000000 00:00 0
>  [vdso]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
>  [vsyscall]
> *** buffer overflow detected ***: ftest07 terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x37)[0x7f8678b10867]
> /lib/libc.so.6[0x7f8678b0e680]
> /lib/libc.so.6[0x7f8678b0d979]
> /lib/libc.so.6(_IO_default_xsputn+0x85)[0x7f8678a9bf25]
> /lib/libc.so.6(_IO_vfprintf+0x1fed)[0x7f8678a6e6dd]
> /lib/libc.so.6(__vsprintf_chk+0x9d)[0x7f8678b0da1d]
> /lib/libc.so.6(__sprintf_chk+0x80)[0x7f8678b0d960]
> ftest07[0x401ec5]
> ftest07[0x402a76]
> /lib/libc.so.6(__libc_start_main+0xe6)[0x7f8678a48a26]
> ftest07[0x401d19]
> ======= Memory map: ========
> 00400000-00408000 r-xp 00000000 fd:03 74961
>  /tmp/tmp.9O93FRsMhN/ltp/testcases/bin/ftest07
> 00608000-00609000 r--p 00008000 fd:03 74961
>  /tmp/tmp.9O93FRsMhN/ltp/testcases/bin/ftest07
> 00609000-0060a000 rw-p 00009000 fd:03 74961
>  /tmp/tmp.9O93FRsMhN/ltp/testcases/bin/ftest07
> 0060a000-0060f000 rw-p 00000000 00:00 0
> 01f3f000-01f60000 rw-p 00000000 00:00 0
>  [heap]
> 7f8678813000-7f8678829000 r-xp 00000000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f8678829000-7f8678a28000 ---p 00016000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f8678a28000-7f8678a29000 r--p 00015000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f8678a29000-7f8678a2a000 rw-p 00016000 fd:03 6454
>  /lib64/libgcc_s.so.1
> 7f8678a2a000-7f8678b79000 r-xp 00000000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f8678b79000-7f8678d79000 ---p 0014f000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f8678d79000-7f8678d7d000 r--p 0014f000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f8678d7d000-7f8678d7e000 rw-p 00153000 fd:03 5882
>  /lib64/libc-2.10.1.so
> 7f8678d7e000-7f8678d83000 rw-p 00000000 00:00 0
> 7f8678d83000-7f8678da0000 r-xp 00000000 fd:03 5871
>  /lib64/ld-2.10.1.so
> 7f8678f83000-7f8678f85000 rw-p 00000000 00:00 0
> 7f8678f9d000-7f8678f9f000 rw-p 00000000 00:00 0
> 7f8678f9f000-7f8678fa0000 r--p 0001c000 fd:03 5871
>  /lib64/ld-2.10.1.so
> 7f8678fa0000-7f8678fa1000 rw-p 0001d000 fd:03 5871
>  /lib64/ld-2.10.1.so
> 7fffeffa2000-7fffeffb7000 rw-p 00000000 00:00 0
>  [stack]
> 7fffeffff000-7ffff0000000 r-xp 00000000 00:00 0
>  [vdso]
> ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
>  [vsyscall]
>
>    gcoo...@orangebox /scratch/ltp $ emerge --info
> Portage 2.1.6.13 (default/linux/amd64/10.0, gcc-4.3.4,
> glibc-2.10.1-r1, 2.6.31-gentoo-r6 x86_64)
> =================================================================
> System uname:
> Linux-2.6.31-gentoo-r6-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9400_@
> _2.66GHz-with-gentoo-1.12.13
> Timestamp of tree: Sun, 24 Jan 2010 07:00:21 +0000
> app-shells/bash:     4.0_p35
> dev-java/java-config: 2.1.9-r2
> dev-lang/python:     2.6.4
> sys-apps/baselayout: 1.12.13
> sys-apps/sandbox:    1.6-r2
> sys-devel/autoconf:  2.13, 2.63-r1
> sys-devel/automake:  1.9.6-r2, 1.10.2
> sys-devel/binutils:  2.18-r3
> sys-devel/gcc-config: 1.4.1
> sys-devel/libtool:   2.2.6b
> virtual/os-headers:  2.6.27-r2
>
>    Figuring that ftest07.c compiled (mostly) without warnings, I
> thought it might be an issue common to both tests. Here's what I did
> and it didn't crash when I ran them, but I was wondering if others
> could verify whether or not they run into similar issues as well, and
> if so, tell me whether or not this patch functionality a) makes sense
> and b) resolves the issue:
>
> Index: testcases/kernel/fs/ftest/libftest.c
> ===================================================================
> RCS file: /cvsroot/ltp/ltp/testcases/kernel/fs/ftest/libftest.c,v
> retrieving revision 1.1
> diff -u -r1.1 libftest.c
> --- testcases/kernel/fs/ftest/libftest.c        18 Sep 2009 17:44:08
> -0000      1.1
> +++ testcases/kernel/fs/ftest/libftest.c        30 Jan 2010 05:24:42 -0000
> @@ -17,6 +17,7 @@
>  */
>
>  #include <sys/uio.h>
> +#include <assert.h>
>  #include "test.h"
>  #include "libftest.h"
>
> @@ -61,16 +62,18 @@
>  /*
>  * Dump bits string.
>  */
> -void ft_dumpbits(char *bits, int size)
> +void ft_dumpbits(void *bits, size_t size)
>  {
> -       char *buf;
> +       void *buf;
>
>        tst_resm(TINFO, "\tBits array:");
>
>        for (buf = bits; size > 0; --size, ++buf) {
> -               if ((buf-bits) % 16 == 0)
> -                       tst_resm(TINFO, "\t%04x:\t", 8*(buf-bits));
> -               tst_resm(TINFO, "\t%02x ", *buf & 0xff);
> +               if ((buf-bits) % 16 == 0) {
> +                       assert (0 < (buf-bits));
> +                       tst_resm(TINFO, "\t%lu:\t", 8*(buf-bits));
> +               }
> +               tst_resm(TINFO, "\t%02x ", *((char*) buf) & 0xff);
>        }
>
>        tst_resm(TINFO, "\t");
> Index: testcases/kernel/fs/ftest/libftest.h
> ===================================================================
> RCS file: /cvsroot/ltp/ltp/testcases/kernel/fs/ftest/libftest.h,v
> retrieving revision 1.1
> diff -u -r1.1 libftest.h
> --- testcases/kernel/fs/ftest/libftest.h        18 Sep 2009 17:44:08
> -0000      1.1
> +++ testcases/kernel/fs/ftest/libftest.h        30 Jan 2010 05:24:42 -0000
> @@ -34,7 +34,7 @@
>  /*
>  * Dump bits string.
>  */
> -void ft_dumpbits(char *bits, int size);
> +void ft_dumpbits(void *bits, size_t size);
>
>  /*
>  * Do logical or of hold and bits (of size)
>
>    I did what I did above because it's doing pointer arithmetic of
> virtual memory addresses, which means that that could be wreaking
> havoc if the value is truly rolling over / overflowing.
> Thanks,
> -Garrett
>
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Ltp-list mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ltp-list
>



-- 
K.D. Lucas
[email protected]

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Ltp-list mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ltp-list

Reply via email to