Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 160284 - buffer overflows in sfdisk
Summary: buffer overflows in sfdisk
Keywords:
Status: CLOSED DUPLICATE of bug 159418
Alias: None
Product: Fedora
Classification: Fedora
Component: util-linux
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-14 04:17 UTC by Alexandre Oliva
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-15 10:54:43 UTC


Attachments (Terms of Use)
sfdisk dump/input file (deleted)
2005-06-14 04:17 UTC, Alexandre Oliva
no flags Details

Description Alexandre Oliva 2005-06-14 04:17:17 UTC
Description of problem:
The attached file will cause sfdisk to trigger the buffer overflow detection
with the following two command lines:

% sfdisk /tmp/hda.sfdisk  # oops, typo, missing a `<', but it exposed a bug
Warning: /tmp/hda.sfdisk is not a block device
Disk /tmp/hda.sfdisk: cannot get geometry

Disk /tmp/hda.sfdisk: 0 cylinders, 0 heads, 0 sectors/track

sfdisk: ERROR: sector 0 does not have an msdos signature
 /tmp/hda.sfdisk: unrecognized partition table type
Old situation:
No partitions found
Input in the following format; absent fields get a default value.
<start> <size> <type [E,S,L,X,hex]> <bootable [-,*]> <c,h,s> <c,h,s>
Usually you only need to specify <start> and <size> (and perhaps <type>).

/tmp/hda.sfdisk1 :*** buffer overflow detected ***: sfdisk terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x79a565]
sfdisk[0x804c563]
sfdisk[0x804d805]
sfdisk[0x804eaba]
/lib/libc.so.6(__libc_start_main+0xc6)[0x6d0de6]
sfdisk[0x8048dc1]
======= Memory map: ========
00644000-00645000 r-xp 00644000 00:00 0
0069a000-006b4000 r-xp 00000000 fd:02 1246256    /lib/ld-2.3.5.so
006b4000-006b5000 r-xp 00019000 fd:02 1246256    /lib/ld-2.3.5.so
006b5000-006b6000 rwxp 0001a000 fd:02 1246256    /lib/ld-2.3.5.so
006bc000-007e0000 r-xp 00000000 fd:02 1246465    /lib/libc-2.3.5.so
007e0000-007e2000 r-xp 00124000 fd:02 1246465    /lib/libc-2.3.5.so
007e2000-007e4000 rwxp 00126000 fd:02 1246465    /lib/libc-2.3.5.so
007e4000-007e6000 rwxp 007e4000 00:00 0
00a26000-00a2f000 r-xp 00000000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
00a2f000-00a30000 rwxp 00009000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
08048000-08053000 r-xp 00000000 fd:02 2097157    /sbin/sfdisk
08053000-08054000 rw-p 0000b000 fd:02 2097157    /sbin/sfdisk
08054000-0805e000 rw-p 08054000 00:00 0
09eb5000-09ed6000 rw-p 09eb5000 00:00 0          [heap]
b7d71000-b7d77000 r--s 00000000 fd:02 2031921    /usr/lib/gconv/gconv-modules.cache
b7d77000-b7d78000 rw-p b7d77000 00:00 0
b7d78000-b7f78000 r--p 00000000 fd:02 1969129    /usr/lib/locale/locale-archive
b7f78000-b7f7a000 rw-p b7f78000 00:00 0
bfe87000-bfe9d000 rw-p bfe87000 00:00 0          [stack]
Aborted


% sfdisk /dev/hda < /tmp/hda.sfdisk  # this is right, but it also exposes a bug

Disk /dev/hda: 116280 cylinders, 16 heads, 63 sectors/track
Warning: extended partition does not start at a cylinder boundary.
DOS and Linux will interpret the contents differently.
Old situation:
Warning: The partition table looks like it was made
  for C/H/S=*/255/63 (instead of 116280/16/63).
For this listing I'll assume that geometry.
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/hda1          0+     61      62-    497983+  84  OS/2 hidden C: drive
/dev/hda2         68     828     761    6112732+   b  W95 FAT32
/dev/hda3   *    829    1009     181    1453882+   6  FAT16
/dev/hda4       1010    7295    6286   50492295    f  W95 Ext'd (LBA)
/dev/hda5   *   1010+   1022      13-    104391   83  Linux
/dev/hda6       1023+   1035      13-    104391   83  Linux
/dev/hda7       1036+   1097      62-    497983+  82  Linux swap / Solaris
/dev/hda8       1098+   3163    2066-  16595113+  8e  Linux LVM
/dev/hda9       3164+   5229    2066-  16595113+  8e  Linux LVM
/dev/hda10      5230+   7295    2066-  16595113+  8e  Linux LVM
*** buffer overflow detected ***: sfdisk terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x79a565]
sfdisk[0x804c563]
sfdisk[0x804d805]
sfdisk[0x804eaba]
/lib/libc.so.6(__libc_start_main+0xc6)[0x6d0de6]
sfdisk[0x8048dc1]
======= Memory map: ========
0069a000-006b4000 r-xp 00000000 fd:02 1246256    /lib/ld-2.3.5.so
006b4000-006b5000 r-xp 00019000 fd:02 1246256    /lib/ld-2.3.5.so
006b5000-006b6000 rwxp 0001a000 fd:02 1246256    /lib/ld-2.3.5.so
006bc000-007e0000 r-xp 00000000 fd:02 1246465    /lib/libc-2.3.5.so
007e0000-007e2000 r-xp 00124000 fd:02 1246465    /lib/libc-2.3.5.so
007e2000-007e4000 rwxp 00126000 fd:02 1246465    /lib/libc-2.3.5.so
007e4000-007e6000 rwxp 007e4000 00:00 0
00a26000-00a2f000 r-xp 00000000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
00a2f000-00a30000 rwxp 00009000 fd:02 1246469    /lib/libgcc_s-4.0.0-20050606.so.1
00b12000-00b13000 r-xp 00b12000 00:00 0
08048000-08053000 r-xp 00000000 fd:02 2097157    /sbin/sfdisk
08053000-08054000 rw-p 0000b000 fd:02 2097157    /sbin/sfdisk
08054000-0805e000 rw-p 08054000 00:00 0
09d33000-09d54000 rw-p 09d33000 00:00 0          [heap]
b7d00000-b7d06000 r--s 00000000 fd:02 2031921    /usr/lib/gconv/gconv-modules.cache
b7d06000-b7d07000 rw-p b7d06000 00:00 0
b7d07000-b7f07000 r--p 00000000 fd:02 1969129    /usr/lib/locale/locale-archive
b7f07000-b7f09000 rw-p b7f07000 00:00 0
bfb17000-bfb2c000 rw-p bfb17000 00:00 0          [stack]
Aborted



Version-Release number of selected component (if applicable):
util-linux-2.12p-9.3


How reproducible:
Every time

Comment 1 Alexandre Oliva 2005-06-14 04:17:17 UTC
Created attachment 115386 [details]
sfdisk dump/input file

Comment 2 Karel Zak 2005-06-15 10:54:43 UTC

*** This bug has been marked as a duplicate of 159418 ***


Note You need to log in before you can comment on or make changes to this bug.