Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157773 - mklost+found crashes with buffer overflow
Summary: mklost+found crashes with buffer overflow
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: e2fsprogs
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-15 06:23 UTC by Russell Coker
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-11-10 18:32:33 UTC


Attachments (Terms of Use)

Description Russell Coker 2005-05-15 06:23:09 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
# mklost+found 
mklost+found 1.37 (21-Mar-2005) 
*** buffer overflow detected ***: mklost+found terminated 
======= Backtrace: ========= 
/lib/libc.so.6(__chk_fail+0x41)[0x83b345] 
/lib/libc.so.6(__vsprintf_chk+0x0)[0x83ac10] 
/lib/libc.so.6(_IO_default_xsputn+0x97)[0x7bd918] 
/lib/libc.so.6(_IO_vfprintf+0x1b05)[0x799877] 
/lib/libc.so.6(__vsprintf_chk+0xa1)[0x83acb1] 
/lib/libc.so.6(__sprintf_chk+0x30)[0x83ac04] 
mklost+found[0x804880f] 
/lib/libc.so.6(__libc_start_main+0xc6)[0x771de6] 
mklost+found[0x8048691] 
======= Memory map: ======== 
0073f000-00759000 r-xp 00000000 fd:00 97846      /lib/ld-2.3.5.so 
00759000-0075a000 r-xp 00019000 fd:00 97846      /lib/ld-2.3.5.so 
0075a000-0075b000 rwxp 0001a000 fd:00 97846      /lib/ld-2.3.5.so 
0075d000-00881000 r-xp 00000000 fd:00 97847      /lib/libc-2.3.5.so 
00881000-00883000 r-xp 00124000 fd:00 97847      /lib/libc-2.3.5.so 
00883000-00885000 rwxp 00126000 fd:00 97847      /lib/libc-2.3.5.so 
00885000-00887000 rwxp 00885000 00:00 0 
008a1000-008a2000 r-xp 008a1000 00:00 0 
00914000-0091d000 r-xp 00000000 fd:00 
97857      /lib/libgcc_s-4.0.0-20050428.so                                                                                                                                                   .1 
0091d000-0091e000 rwxp 00009000 fd:00 
97857      /lib/libgcc_s-4.0.0-20050428.so                                                                                                                                                   .1 
08048000-08049000 r-xp 00000000 fd:00 839572     /usr/sbin/mklost+found 
08049000-0804a000 rw-p 00000000 fd:00 839572     /usr/sbin/mklost+found 
08740000-08761000 rw-p 08740000 00:00 0          [heap] 
b7cce000-b7ccf000 r--p 00f36000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7ccf000-b7cd5000 r--p 00f0c000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7cd5000-b7d02000 r--p 00eda000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7d02000-b7f02000 r--p 00000000 fd:00 
839310     /usr/lib/locale/locale-archive 
b7f02000-b7f04000 rw-p b7f02000 00:00 0 
bf8f5000-bf90b000 rw-p bf8f5000 00:00 0          [stack] 
Aborted 
 

Version-Release number of selected component (if applicable):
1.37-3

How reproducible:
Couldn't Reproduce

Steps to Reproduce:
I couldn't reproduce it, presumably it changed something on the first run that 
prevented it from reproducing. 
 
The test was run on known good hardware (IBM desktop P3-800 machine which 
passes memtest86 tests) with a clean FC4T3 install. 

Additional info:

Comment 1 Arjan van de Ven 2005-08-22 10:00:49 UTC
someone forgot to count a terminating null character :)

--- e2fsprogs-1.37/misc/mklost+found.c~ 2005-08-22 12:00:11.492666288 +0200
+++ e2fsprogs-1.37/misc/mklost+found.c  2005-08-22 12:00:11.492666288 +0200
@@ -55,9 +55,9 @@ int main (int argc, char ** argv)
        }

        i = 0;
-       memset (name, 'x', 252);
+       memset (name, 'x', 251);
        do {
-               sprintf (name + 252, "%02d", i);
+               sprintf (name + 251, "%02d", i);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);
@@ -73,7 +73,7 @@ int main (int argc, char ** argv)
                }
        } while (st.st_size <= (EXT2_NDIR_BLOCKS - 1) * st.st_blksize);
        for (j = 0; j < i; j++) {
-               sprintf (name + 252, "%02d", j);
+               sprintf (name + 251, "%02d", j);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);


Comment 2 Arjan van de Ven 2005-08-22 10:07:48 UTC
better fix:

--- e2fsprogs-1.37/misc/mklost+found.c.org      2005-08-22 12:07:27.674991551 +0200
+++ e2fsprogs-1.37/misc/mklost+found.c  2005-08-22 12:07:39.313586038 +0200
@@ -55,9 +55,9 @@ int main (int argc, char ** argv)
        }

        i = 0;
-       memset (name, 'x', 252);
+       memset (name, 'x', 251);
        do {
-               sprintf (name + 252, "%02d", i);
+               sprintf (name + 251, "%03d", i);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);
@@ -73,7 +73,7 @@ int main (int argc, char ** argv)
                }
        } while (st.st_size <= (EXT2_NDIR_BLOCKS - 1) * st.st_blksize);
        for (j = 0; j < i; j++) {
-               sprintf (name + 252, "%02d", j);
+               sprintf (name + 251, "%03d", j);
                strcpy (path, LPF);
                strcat (path, "/");
                strcat (path, name);


Comment 3 Thomas Woerner 2005-11-10 18:32:33 UTC
Fixed in rawhide in rpm e2fsprogs-1.38-2.1 or newer.


Note You need to log in before you can comment on or make changes to this bug.