Debugging this, we see the addresses of the source ad destination path
buffers passed gets trashed, here 0x62cc:
Program received signal SIGABRT, Aborted.
0x00007ffff7144a75 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) where
#0 0x00007ffff7144a75 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007ffff71485c0 in *__GI_abort () at abort.c:92
#2 0x00007ffff717e4fb in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>)
at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3 0x00007ffff72101e7 in *__GI___fortify_fail (msg=0x7ffff725880d "buffer
overflow detected") at fortify_fail.c:32
#4 0x00007ffff720f0a0 in *__GI___chk_fail () at chk_fail.c:29
#5 0x00007ffff720f6fb in __realpath_chk (buf=0x62cc <Address 0x62cc out of
bounds>,
resolved=0x62cc <Address 0x62cc out of bounds>, resolvedlen=6) at
realpath_chk.c:30
#6 0x0000000000401687 in realpath (argc=<value optimized out>, argv=<value
optimized out>) at /usr/include/bits/stdlib.h:46
#7 main (argc=<value optimized out>, argv=<value optimized out>) at
hal-disable-polling.c:194
Further more, building with optimisation disabled, the crash is not
experienced:
$ apt-get source hal
$ cd hal-*
$ debuild -rfakeroot -us -uc
$ cd tools
$ gcc -DHAVE_CONFIG_H -I. -I.. -DPACKAGE_LIBEXEC_DIR=\""/usr/lib/hal"\"
-DPACKAGE_SYSCONF_DIR=\""/etc"\" -DPACKAGE_DATA_DIR=\""/usr/share"\"
-DPACKAGE_BIN_DIR=\""/usr/bin"\" -DPACKAGE_LOCALSTATEDIR=\""/var"\"
-DPACKAGE_SCRIPT_DIR=\""/usr/lib/hal/scripts"\"
-DPACKAGE_LOCALE_DIR=\""/usr/share/locale"\" -I.. -I../libhal
-I../libhal-storage -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include
-pthread -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include
-I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -c hal-disable-polling.c -O0
$ gcc -Wl,--as-needed -Wl,-Bsymbolic-functions -o hal-disable-polling
hal-disable-polling.o -pthread -L/lib -ldbus-glib-1 /usr/lib/libgobject-2.0.so
/usr/lib/libgthread-2.0.so /usr/lib/libglib-2.0.so -ldbus-1 -lpthread -lrt
../libhal/.libs/libhal.so -pthread
$ sudo ./hal-disable-polling --device /dev/foo
Cannot find device /dev/foo.
$ gcc -DHAVE_CONFIG_H -I. -I.. -DPACKAGE_LIBEXEC_DIR=\""/usr/lib/hal"\"
-DPACKAGE_SYSCONF_DIR=\""/etc"\" -DPACKAGE_DATA_DIR=\""/usr/share"\"
-DPACKAGE_BIN_DIR=\""/usr/bin"\" -DPACKAGE_LOCALSTATEDIR=\""/var"\"
-DPACKAGE_SCRIPT_DIR=\""/usr/lib/hal/scripts"\"
-DPACKAGE_LOCALE_DIR=\""/usr/share/locale"\" -I.. -I../libhal
-I../libhal-storage -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include
-pthread -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include
-I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -c hal-disable-polling.c -O1
$ gcc -Wl,--as-needed -Wl,-Bsymbolic-functions -o hal-disable-polling
hal-disable-polling.o -pthread -L/lib -ldbus-glib-1 /usr/lib/libgobject-2.0.so
/usr/lib/libgthread-2.0.so /usr/lib/libglib-2.0.so -ldbus-1 -lpthread -lrt
../libhal/.libs/libhal.so -pthread
$ sudo ./hal-disable-polling --device /dev/foo
*** buffer overflow detected ***: ./hal-disable-polling terminated
--
hal-disable-polling crash: buffer overflow detected
https://bugs.launchpad.net/bugs/530569
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
