Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 153987

Summary: Kudzu segfaults with some Firewire controllers due to improperly checked fd
Product: [Fedora] Fedora Reporter: Daniel de Kok <danieldk>
Component: kudzuAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-06 17:19:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Daniel de Kok 2005-04-06 13:49:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050327 Firefox/1.0.2 (Debian package 1.0.2-1.0.libranet.1)

Description of problem:
Kudzu segfaults on some machines that have a firewire controller, due to an incorrectly checked file descriptor. The code allows bufFromFd to be called with a file descriptor < 0, causing a segfault due to a memset called in bufFromFd.

Version-Release number of selected component (if applicable):
CVS

How reproducible:
Always

Steps to Reproduce:
1. kudzu -p

Actual Results:  The relevant information from a backtrace:

---
Program received signal SIGSEGV, Segmentation fault.
0xb7f0878b in memset () from /lib/tls/libc.so.6
#0  0xb7f0878b in memset () from /lib/tls/libc.so.6
No symbol table info available.
#1  0x08051328 in bufFromFd (fd=-1) at kudzu.c:587
	sbuf = {st_dev = 13257478449905010208, __pad1 = 1568, st_ino = 3086747168, st_mode = 135081096, st_nlink = 2, st_uid = 16, st_gid = 3086747168, 
  st_rdev = 13257478140667362400, __pad2 = 1, st_size = -1073744648, st_blksize = -1209005885, st_blocks = -1208220128, st_atim = {tv_sec = 5, tv_nsec = -1208222624}, 
  st_mtim = {tv_sec = -1208222624, tv_nsec = 135081048}, st_ctim = {tv_sec = -1073743608, tv_nsec = -1073744616}, __unused4 = 3085813524, __unused5 = 3221222720}
	buf = 0x0
	bytes = 0
	tmpbuf = "8����#���\221\004\by:<\a�\214\004\b���P\221��\003\000\000\000\210��\000\000\000\000\001\000\000\000���\000\000\000\000���`��\000\000\000\000y:<\ap���\000\220��\000\020\002\000�2\000\000�\037\r\b�\"\r\b\000\020\002\000\000\000\000\000`\026\v\b�\"\r\b", '\0' <repeats 16 times>, "\004\000\000\0008a\021\b\234a\021\b\233a\021\b\234a\021\b\001\000\000\000\000\000\000\000\000@\000\000\026Z��\234\221��\210��\001\000\000\000\000\000\000\000\001\000\000\000p����\b�\b@\000\000 \006�4\231\006\bl\000\000\000�\221"...
#2  0x08063f0d in firewireProbe (probeClass=CLASS_UNSPEC, probeFlags=1, devlist=0x80d2be0) at firewire.c:102
	path = "/sys/bus/ieee1394/devices/000048000003d0fc-0/model_name_kv\000\000 \006�`�� \006�\001\000\000\000�����\b� \006�\b\000\000\000`��\b\000\000\000�\212\006\b����\026m��+\r\b\000\000\000\000\b\000\000\000T\201\006\b\022\000\000\000�n\000\000�n\000\000\000\000\000\000\000\000\001", '\0' <repeats 13 times>, "\001", '\0' <repeats 31 times>, "�\000\000\000H&\r\be/\177\017�+\r\bH1440\000�?\000\000\000\000�%\r\b"...
	specifier_id = 0x8116d58 "0x00609e"
	version = 0x8117d60 "0x010483"
	dir = (DIR *) 0x8115d38
	entry = (struct dirent *) 0x8115d94
	fd = -1
	fwdev = (struct firewireDevice *) 0x80d2c58
	loaded_driver = 0
---

Expected Results:  No segfault.

Additional info:

Patch:

Index: firewire.c
===================================================================
RCS file: /usr/local/CVS/kudzu/firewire.c,v
retrieving revision 1.9
diff -b -u -r1.9 firewire.c
--- firewire.c	26 Aug 2004 08:04:15 -0000	1.9
+++ firewire.c	6 Apr 2005 13:31:21 -0000
@@ -98,7 +98,7 @@
 					fwdev->next = devlist;
 				snprintf(path,255,"/sys/bus/ieee1394/devices/%s/model_name_kv",entry->d_name);
 				fd = open(path, O_RDONLY);
-				if (fd) {
+				if (fd >= 0) {
 					fwdev->desc = bufFromFd(fd);
 					fwdev->desc[strlen(fwdev->desc) - 1] = '\0';
 				} else

Comment 1 Bill Nottingham 2005-04-06 17:14:23 UTC
Added in CVS, will be in the next build. Thanks!