Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159418 - sfdisk unusable - crashes immediately on invocation
Summary: sfdisk unusable - crashes immediately on invocation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: util-linux
Version: 4.0
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
URL:
Whiteboard:
: 160284 (view as bug list)
Depends On:
Blocks: 156320 156322
TreeView+ depends on / blocked
 
Reported: 2005-06-02 15:17 UTC by Avi Kivity
Modified: 2007-11-30 22:07 UTC (History)
4 users (show)

Fixed In Version: RHBA-2005-669
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-05 16:53:49 UTC


Attachments (Terms of Use)
bug fix patch (deleted)
2005-07-11 20:39 UTC, Karel Zak
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:626 qe-ready SHIPPED_LIVE util-linux and mount bug fix update 2005-09-28 04:00:00 UTC
Red Hat Product Errata RHBA-2005:669 qe-ready SHIPPED_LIVE util-linux bug fix update 2005-10-05 04:00:00 UTC

Description Avi Kivity 2005-06-02 15:17:46 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.0 (like Gecko)

Description of problem:
running sfdisk on a zeroed block device or file overflows some buffer or 
other: 
 
[root@nero ~]# dd < /dev/zero > empty count=50 
50+0 records in 
50+0 records out 
[root@nero ~]# sfdisk empty 
Warning: empty is not a block device 
Disk empty: cannot get geometry 
 
Disk empty: 0 cylinders, 0 heads, 0 sectors/track 
 
sfdisk: ERROR: sector 0 does not have an msdos signature 
 empty: unrecognized partition table type 
Old situation: 
No partitions found 
Input in the following format; absent fields get a default value. 
<start> <size> <type [E,S,L,X,hex]> <bootable [-,*]> <c,h,s> <c,h,s> 
Usually you only need to specify <start> and <size> (and perhaps <type>). 
 
   empty1 :*** buffer overflow detected ***: sfdisk terminated 
======= Backtrace: ========= 
/lib/i686/nosegneg/libc.so.6(__chk_fail+0x41)[0x85bb95] 
sfdisk[0x804c563] 
sfdisk[0x804d805] 
sfdisk[0x804eaba] 
/lib/i686/nosegneg/libc.so.6(__libc_start_main+0xc6)[0x78fde6] 
sfdisk[0x8048dc1] 
======= Memory map: ======== 
002d7000-002d8000 r-xp 002d7000 00:00 0 
00396000-0039f000 r-xp 00000000 fd:00 
9043979    /lib/libgcc_s-4.0.0-20050520.so.1 
0039f000-003a0000 rwxp 00009000 fd:00 
9043979    /lib/libgcc_s-4.0.0-20050520.so.1 
0075d000-00777000 r-xp 00000000 fd:00 9043970    /lib/ld-2.3.5.so 
00777000-00778000 r-xp 00019000 fd:00 9043970    /lib/ld-2.3.5.so 
00778000-00779000 rwxp 0001a000 fd:00 9043970    /lib/ld-2.3.5.so 
0077b000-008a2000 r-xp 00000000 fd:00 
9043985    /lib/i686/nosegneg/libc-2.3.5.so 
008a2000-008a4000 r-xp 00127000 fd:00 
9043985    /lib/i686/nosegneg/libc-2.3.5.so 
008a4000-008a6000 rwxp 00129000 fd:00 
9043985    /lib/i686/nosegneg/libc-2.3.5.so 
008a6000-008a8000 rwxp 008a6000 00:00 0 
08048000-08053000 r-xp 00000000 fd:00 15794347   /sbin/sfdisk 
08053000-08054000 rw-p 0000b000 fd:00 15794347   /sbin/sfdisk 
08054000-0805e000 rw-p 08054000 00:00 0 
0818a000-081ab000 rw-p 0818a000 00:00 0          [heap] 
b7dc4000-b7dca000 r--s 00000000 fd:00 
7471407    /usr/lib/gconv/gconv-modules.cache 
b7dca000-b7dcb000 rw-p b7dca000 00:00 0 
b7dcb000-b7fcb000 r--p 00000000 fd:00 
7413560    /usr/lib/locale/locale-archive 
b7fcb000-b7fcc000 rw-p b7fcb000 00:00 0 
b7fd4000-b7fd5000 rw-p b7fd4000 00:00 0 
bfd53000-bfed5000 rw-p bfd53000 00:00 0          [stack] 
Aborted 
 

Version-Release number of selected component (if applicable):
util-linux-2.12p-9.3

How reproducible:
Always

Steps to Reproduce:
1. create an empty file (using it as a loopback block device works as well) 
2. run sfdisk file (or sfdisk /dev/loop0) 
 
   

Actual Results:  crash 

Expected Results:  no crash  

Additional info:

Comment 1 Arjan van de Ven 2005-06-06 09:11:42 UTC
can you install the debuginfo of the package to get a more useful backtrace?

Comment 2 Avi Kivity 2005-06-06 11:03:56 UTC
it's a bit sparse due to optimization. the __chk_fail() is inside and inlined 
fgets(), which might have been called from read_stdin(): 
 
    /* read a line from stdin */ 
    lp = fgets(line+2, linesize, stdin);  
 
shouldn't that be linesize-2? 
 
#0  0x00aef402 in __kernel_vsyscall () 
#1  0x007a31fc in raise () from /lib/libc.so.6 
#2  0x007a4958 in abort () from /lib/libc.so.6 
#3  0x007d82ea in __libc_message () from /lib/libc.so.6 
#4  0x00859415 in __chk_fail () from /lib/libc.so.6 
#5  0x0804c563 in read_partition (dev=0xbfa53c24 "/tmp/empty", interactive=1, 
pno=0, ep=0x0, z=0x80587c0) 
    at /usr/include/bits/stdio2.h:106 
#6  0x0804d805 in do_fdisk (dev=0xbfa53c24 "/tmp/empty") at sfdisk.c:2287 
#7  0x0804eaba in main (argc=2, argv=0xbfa51e24) at sfdisk.c:2685 
#8  0x0078fde6 in __libc_start_main () from /lib/libc.so.6 
#9  0x08048dc1 in _start () 
 

Comment 3 Avi Kivity 2005-06-06 11:09:21 UTC
changed summary and severity, this is unrelated to the mbr. 
 
sfdisk /dev/sda crashes just as well. 

Comment 4 Karel Zak 2005-06-06 12:21:01 UTC
I can reproduce it in FC4. But if I rebuild same .src.rpm in FC3 it doens't crash.

  FC4: crashes     (glibc-2.3.5-9)
  FC3: works file  (glibc-2.3.5-0.fc3.1, gcc-3.4.3-22.fc3)


Comment 5 Karel Zak 2005-06-06 12:25:28 UTC
Note: sfdisk binary compiled by gcc-3.4 works file on FC4.

Comment 6 Avi Kivity 2005-06-06 12:30:07 UTC
it's the new gcc/glibc guard thing which traps overflows. AFAICT this is a 
real buffer overflow. 

Comment 7 Karel Zak 2005-06-06 12:37:17 UTC
I see it now. It's really ugly code. I have to read your report more carefully
next time. Thanks for report!

Comment 8 Karel Zak 2005-06-15 10:54:47 UTC
*** Bug 160284 has been marked as a duplicate of this bug. ***

Comment 9 Avi Kivity 2005-06-15 12:44:02 UTC
is this being worked on? I can (try to) produce a patch if necessary. 

Comment 10 Karel Zak 2005-06-15 13:20:29 UTC
The patch is pretty simple and it will be available in the next util-linux
update as soon as possible (this week).

Comment 12 Karel Zak 2005-06-17 09:26:04 UTC
Fixed in FC4 (util-linux-2.12p-9.5) and FC3 (util-linux-2.12a-24.3) updates.

Comment 13 Avi Kivity 2005-06-19 15:14:31 UTC
verified. 

Comment 17 Karel Zak 2005-07-11 20:39:00 UTC
Created attachment 116622 [details]
bug fix patch

Comment 20 Henrik Nordstrom 2005-08-30 22:40:02 UTC
Is RHEL 3 using the gcc based buffer overflow protections (mudflap) enabled by
default on FC4 packages? It is not enabled on FC3 packages I think.

The error will go unnoticed if this option is not enabled in the compiler flags
when the binary was build as without the overflow protection instrumentation the
potential misuse of the input buffer is not noticed. The actual error as such is
mostly harmless as sfdisk is rarely given untrusted data as input.

It is also possible (but not very likely) the error only shows up in later
versions of sfdisk. The original report was on util-linux-2.12p-9.3 while you
tested util-linux-2.11y-31.6.

Comment 21 Henrik Nordstrom 2005-08-30 22:49:39 UTC
Oops, wrong reference. It's the glibc FORTIFY_SOURCE protection triggering here,
not mudflap. (-D_FORTIFY_SOURCE=2 compiler option).

Comment 22 Karel Zak 2005-08-31 09:32:51 UTC
Yes, the original buffer overflow was detected in FC4 by new glibc. But the code
with bug in sfdisk is __same__ in FC4 and RHEL3|4. So the fix of this code in
RHEL is really good prevension.

It's really clear and pretty visible. See the patch:

  -    lp = fgets(line+2, linesize, stdin);
  +    lp = fgets(line+2, linesize-2, stdin);

See also "QE ack" comment #16. I can show you this buffer overflow by gdb, but
it's extra work if we already know that the bug is there.

Comment 25 Red Hat Bugzilla 2005-09-28 15:55:01 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-626.html


Comment 26 Red Hat Bugzilla 2005-10-05 16:53:49 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-669.html



Note You need to log in before you can comment on or make changes to this bug.