** Summary changed:
- cron-apt buffer overflow with high pid numbers
+ [SRU] liblockfile buffer overflow with high pid numbers
** Description changed:
on our system (Ubuntu-Server 10.04) we set "sysctl -w kernel.pid_max =
4194304". When the pid counter is high, currently >3000000, then cron-
apt terminates with a buffer overflow message:
root@sn:~# cron-apt
*** buffer overflow detected ***: dotlockfile terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f2ae90547e7]
/lib/libc.so.6(+0xfe6a0)[0x7f2ae90536a0]
/lib/libc.so.6(+0xfdb09)[0x7f2ae9052b09]
/lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7f2ae8fcaf6c]
/lib/libc.so.6(_IO_vfprintf+0x670)[0x7f2ae8f9aa10]
/lib/libc.so.6(__vsprintf_chk+0x99)[0x7f2ae9052ba9]
/lib/libc.so.6(__sprintf_chk+0x7f)[0x7f2ae9052aef]
dotlockfile[0x401e6e]
dotlockfile[0x40198a]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f2ae8f73c4d]
dotlockfile[0x4011f9]
======= Memory map: ========
00400000-00403000 r-xp 00000000 fb:02 2104182
/usr/bin/dotlockfile
00602000-00603000 r--p 00002000 fb:02 2104182
/usr/bin/dotlockfile
00603000-00604000 rw-p 00003000 fb:02 2104182
/usr/bin/dotlockfile
01f80000-01fa1000 rw-p 00000000 00:00 0
[heap]
7f2ae8503000-7f2ae8519000 r-xp 00000000 fb:02 131128
/lib/libgcc_s.so.1
7f2ae8519000-7f2ae8718000 ---p 00016000 fb:02 131128
/lib/libgcc_s.so.1
7f2ae8718000-7f2ae8719000 r--p 00015000 fb:02 131128
/lib/libgcc_s.so.1
7f2ae8719000-7f2ae871a000 rw-p 00016000 fb:02 131128
/lib/libgcc_s.so.1
7f2ae871a000-7f2ae8726000 r-xp 00000000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f2ae8726000-7f2ae8925000 ---p 0000c000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f2ae8925000-7f2ae8926000 r--p 0000b000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f2ae8926000-7f2ae8927000 rw-p 0000c000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f2ae8927000-7f2ae8931000 r-xp 00000000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2ae8931000-7f2ae8b30000 ---p 0000a000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2ae8b30000-7f2ae8b31000 r--p 00009000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2ae8b31000-7f2ae8b32000 rw-p 0000a000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2ae8b32000-7f2ae8b49000 r-xp 00000000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2ae8b49000-7f2ae8d48000 ---p 00017000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2ae8d48000-7f2ae8d49000 r--p 00016000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2ae8d49000-7f2ae8d4a000 rw-p 00017000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2ae8d4a000-7f2ae8d4c000 rw-p 00000000 00:00 0
7f2ae8d4c000-7f2ae8d54000 r-xp 00000000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f2ae8d54000-7f2ae8f53000 ---p 00008000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f2ae8f53000-7f2ae8f54000 r--p 00007000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f2ae8f54000-7f2ae8f55000 rw-p 00008000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f2ae8f55000-7f2ae90cf000 r-xp 00000000 fb:02 147402
/lib/libc-2.11.1.so
7f2ae90cf000-7f2ae92ce000 ---p 0017a000 fb:02 147402
/lib/libc-2.11.1.so
7f2ae92ce000-7f2ae92d2000 r--p 00179000 fb:02 147402
/lib/libc-2.11.1.so
7f2ae92d2000-7f2ae92d3000 rw-p 0017d000 fb:02 147402
/lib/libc-2.11.1.so
7f2ae92d3000-7f2ae92d8000 rw-p 00000000 00:00 0
7f2ae92d8000-7f2ae92f8000 r-xp 00000000 fb:02 147370
/lib/ld-2.11.1.so
7f2ae94eb000-7f2ae94ee000 rw-p 00000000 00:00 0
7f2ae94f5000-7f2ae94f7000 rw-p 00000000 00:00 0
7f2ae94f7000-7f2ae94f8000 r--p 0001f000 fb:02 147370
/lib/ld-2.11.1.so
7f2ae94f8000-7f2ae94f9000 rw-p 00020000 fb:02 147370
/lib/ld-2.11.1.so
7f2ae94f9000-7f2ae94fa000 rw-p 00000000 00:00 0
7fff43082000-7fff430a3000 rw-p 00000000 00:00 0
[stack]
7fff431ff000-7fff43200000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted
root@sn:~# uname -a
Linux sn 2.6.35-32-server #68~lucid1-Ubuntu SMP Wed Mar 28 18:33:00 UTC 2012
x86_64 GNU/Linux
root@sn:~# ps
PID TTY TIME CMD
3722057 pts/5 00:00:00 bash
3925974 pts/5 00:00:00 ps
root@sn:~# strace -f -o out cron-apt
*** buffer overflow detected ***: dotlockfile terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f27661f27e7]
/lib/libc.so.6(+0xfe6a0)[0x7f27661f16a0]
/lib/libc.so.6(+0xfdb09)[0x7f27661f0b09]
/lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7f2766168f6c]
/lib/libc.so.6(_IO_vfprintf+0x670)[0x7f2766138a10]
/lib/libc.so.6(__vsprintf_chk+0x99)[0x7f27661f0ba9]
/lib/libc.so.6(__sprintf_chk+0x7f)[0x7f27661f0aef]
dotlockfile[0x401e6e]
dotlockfile[0x40198a]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f2766111c4d]
dotlockfile[0x4011f9]
======= Memory map: ========
00400000-00403000 r-xp 00000000 fb:02 2104182
/usr/bin/dotlockfile
00602000-00603000 r--p 00002000 fb:02 2104182
/usr/bin/dotlockfile
00603000-00604000 rw-p 00003000 fb:02 2104182
/usr/bin/dotlockfile
01a13000-01a34000 rw-p 00000000 00:00 0
[heap]
7f27656a1000-7f27656b7000 r-xp 00000000 fb:02 131128
/lib/libgcc_s.so.1
7f27656b7000-7f27658b6000 ---p 00016000 fb:02 131128
/lib/libgcc_s.so.1
7f27658b6000-7f27658b7000 r--p 00015000 fb:02 131128
/lib/libgcc_s.so.1
7f27658b7000-7f27658b8000 rw-p 00016000 fb:02 131128
/lib/libgcc_s.so.1
7f27658b8000-7f27658c4000 r-xp 00000000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f27658c4000-7f2765ac3000 ---p 0000c000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f2765ac3000-7f2765ac4000 r--p 0000b000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f2765ac4000-7f2765ac5000 rw-p 0000c000 fb:02 147406
/lib/libnss_files-2.11.1.so
7f2765ac5000-7f2765acf000 r-xp 00000000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2765acf000-7f2765cce000 ---p 0000a000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2765cce000-7f2765ccf000 r--p 00009000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2765ccf000-7f2765cd0000 rw-p 0000a000 fb:02 147385
/lib/libnss_nis-2.11.1.so
7f2765cd0000-7f2765ce7000 r-xp 00000000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2765ce7000-7f2765ee6000 ---p 00017000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2765ee6000-7f2765ee7000 r--p 00016000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2765ee7000-7f2765ee8000 rw-p 00017000 fb:02 147369
/lib/libnsl-2.11.1.so
7f2765ee8000-7f2765eea000 rw-p 00000000 00:00 0
7f2765eea000-7f2765ef2000 r-xp 00000000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f2765ef2000-7f27660f1000 ---p 00008000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f27660f1000-7f27660f2000 r--p 00007000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f27660f2000-7f27660f3000 rw-p 00008000 fb:02 147379
/lib/libnss_compat-2.11.1.so
7f27660f3000-7f276626d000 r-xp 00000000 fb:02 147402
/lib/libc-2.11.1.so
7f276626d000-7f276646c000 ---p 0017a000 fb:02 147402
/lib/libc-2.11.1.so
7f276646c000-7f2766470000 r--p 00179000 fb:02 147402
/lib/libc-2.11.1.so
7f2766470000-7f2766471000 rw-p 0017d000 fb:02 147402
/lib/libc-2.11.1.so
7f2766471000-7f2766476000 rw-p 00000000 00:00 0
7f2766476000-7f2766496000 r-xp 00000000 fb:02 147370
/lib/ld-2.11.1.so
7f2766689000-7f276668c000 rw-p 00000000 00:00 0
7f2766693000-7f2766695000 rw-p 00000000 00:00 0
7f2766695000-7f2766696000 r--p 0001f000 fb:02 147370
/lib/ld-2.11.1.so
7f2766696000-7f2766697000 rw-p 00020000 fb:02 147370
/lib/ld-2.11.1.so
7f2766697000-7f2766698000 rw-p 00000000 00:00 0
7fff3660b000-7fff3662c000 rw-p 00000000 00:00 0
[stack]
7fff36765000-7fff36766000 r-xp 00000000 00:00 0
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
Aborted
When we switch back to a small pid number e.g. by "sysctl -w
kernel.pid_max = 32768" cron-apt works again. The Problem also just
occurs if the pid counter reached high values. If pid_max is set high
but the counter is still low the problem doesn't show up.
[Test Case]
The overflow occurs when the decimal representation of the PID value is 7
characters or higher. So, set pid_max to a value that is 7 characters long, run
through PIDs until we get one that is at least 7 characters (the while loop may
take a long time), then create a lock file containing the PID (building the
string containing the PID is where the overflow occurs). Watch for the `echo
$BASHPID` and `cat ${lock}.lock` to print out the same PID number and make sure
that it is at least 7 characters long.
Note that this test case obviously depends on a bash'ism, so use bash or
adjust it as necessary. :)
$ lock=/var/lock/lockfile-create-test
$ lockfile-remove $lock
$ sudo sysctl -w kernel.pid_max=4194304
$ while ([ $BASHPID -lt 1000000 ]); do continue; done
$ (echo $BASHPID; lockfile-create $lock --use-pid; cat ${lock}.lock)
+
+ [Regression Potential]
+ Minimum. We've applied a patch to the same version of liblockfile in 13.04
and that has since been merged to debian with no reports of regressions.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1011477
Title:
[SRU] liblockfile buffer overflow with high pid numbers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
