** Description changed:
+ == SRU justification, Xenial ==
+
+ When running the --dup stressor with stress-ng with a process that is
+ allowed to open more than 64K file descriptors we trigger a segfault
+ because of an array overflow.
+
+ == Fix ==
+
+ A simple fix is required, just a bounds check on the maximum size max_fd
+ to limit it to the size of the fds array.
+
+ == Testcase ==
+
+ stress-ng on arm64 with the --dup stressor will trigger this quite
+ easily. The bug was found during regression testing of the previous
+ xenial stress-ng upload.
+
+ stress-ng --dup
+
+ without the fix this will segfault. with the fix it works correctly.
+
+ == Regression Potential ==
+
+ Low. This affects one stress case in stress-ng, the fix is localized and
+ it a backport from an upstream stress-ng fix that has been working for
+ several years w/o problem.
+
+ ----------------
+
+
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
stress-ng: info: [10979] defaulting to a 86400 second run per stressor
stress-ng: info: [10979] dispatching hogs: 1 dup
stress-ng: info: [10979] cache allocate: using built-in defaults as unable
to determine cache details
stress-ng: info: [10979] cache allocate: default cache size: 2048K
[New process 10982]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-linux-gnu/libthread_db.so.1".
65536 1048573
Thread 2.1 "stress-ng-dup" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xffffb7ff1000 (LWP 10982)]
0x00000000004191f0 in stress_dup (counter=0xffffb7cbee78, instance=<optimised
out>, max_ops=0, name=<optimised out>)
- at stress-dup.c:63
+ at stress-dup.c:63
63 fds[i] = dup(fds[0]);
This requires a fix from commit:
67d872611b860a79b03dca8c7549e5cee7fec4eb Mon Sep 17 00:00:00 2001
From: Colin Ian King <[email protected]>
Date: Tue, 8 Nov 2016 15:50:20 +0000
Subject: [PATCH] treewide: remove messy #if defined() build checks
diff --git a/stress-dup.c b/stress-dup.c
index 2fe2d6a6..0ac13fee 100644
--- a/stress-dup.c
+++ b/stress-dup.c
@@ -45,7 +45,7 @@ int stress_dup(
- const char *name)
- {
- int fds[STRESS_FD_MAX];
+ const char *name)
+ {
+ int fds[STRESS_FD_MAX];
- const size_t max_fd = stress_get_file_limit();
+ size_t max_fd = stress_get_file_limit();
- size_t i;
- #if defined(__linux__)
- bool do_dup3 = true;
+ size_t i;
+ #if defined(__linux__)
+ bool do_dup3 = true;
@@ -53,6 +53,9 @@ int stress_dup(
- (void)instance;
+ (void)instance;
+ if (max_fd > SIZEOF_ARRAY(fds))
+ max_fd = SIZEOF_ARRAY(fds);
+
- fds[0] = open("/dev/zero", O_RDONLY);
- if (fds[0] < 0) {
- pr_fail_dbg(name, "open on /dev/zero");
+ fds[0] = open("/dev/zero", O_RDONLY);
+ if (fds[0] < 0) {
+ pr_fail_dbg(name, "open on /dev/zero");
** Changed in: stress-ng (Ubuntu Xenial)
Assignee: (unassigned) => Colin Ian King (colin-king)
** Changed in: stress-ng (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: stress-ng (Ubuntu Xenial)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1873448
Title:
stress-ng in xenial segfaults on dup stressor on arm64
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/stress-ng/+bug/1873448/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
