Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 596264 - Segfault when decoding DMI data in dmi_processor_id()
Summary: Segfault when decoding DMI data in dmi_processor_id()
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: python-dmidecode
Version: 5.5
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Roman Rakus
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On: 583867
Blocks: 596133 621146 621837
TreeView+ depends on / blocked
 
Reported: 2010-05-26 13:36 UTC by David Sommerseth
Modified: 2018-11-14 17:32 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 583867
: 621146 627901 (view as bug list)
Environment:
Last Closed: 2013-09-23 11:19:09 UTC
Target Upstream Version:


Attachments (Terms of Use)
Patch fixing the SEGV issue (deleted)
2010-05-26 13:58 UTC, David Sommerseth
no flags Details
strace of command (deleted)
2010-08-31 13:27 UTC, Jan Ščotka
no flags Details
Patches fixing dmi_string() NULL issues (deleted)
2011-01-06 15:53 UTC, David Sommerseth
no flags Details

Comment 1 David Sommerseth 2010-05-26 13:58:13 UTC
Created attachment 416844 [details]
Patch fixing the SEGV issue

Comment 2 David Sommerseth 2010-05-26 14:00:47 UTC
The attached patch is sent upstream for inclusion.  Will expect an answer in a couple of days.  A new python-dmidecode version is expected to land shortly afterwards.

Comment 11 Jan Ščotka 2010-08-31 13:27:56 UTC
Created attachment 442185 [details]
strace of command

Hi,
it is same as in bug in RHEL5
https://bugzilla.redhat.com/show_bug.cgi?id=596264
Problem is propable somewhere in python-dmidecode.

when it causes Segmentation fault:
# rpm -qa python-dmidecode
python-dmidecode-3.10.12-1.el6.x86_64

used dmi binary dumped file from bug above.
some few last lines from strace:
_____________________________________________
fstat(4, {st_mode=S_IFREG|0755, st_size=185072, ...}) = 0
open("/usr/lib64/python2.6/site-packages/dmidecodemod.so", O_RDONLY) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\321\0\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0755, st_size=185072, ...}) = 0
mmap(NULL, 2280264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7f811426f000
mprotect(0x7f8114298000, 2097152, PROT_NONE) = 0
mmap(0x7f8114498000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0x29000) = 0x7f8114498000
close(5)                                = 0
open("/sys/firmware/efi/systab", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/efi/systab", O_RDONLY)      = -1 ENOENT (No such file or directory)
open("/dev/mem", O_RDONLY)              = 5
mmap(NULL, 65536, PROT_READ, MAP_SHARED, 5, 0xf0000) = 0x7f811bb06000
munmap(0x7f811bb06000, 65536)           = 0
close(5)                                = 0
close(4)                                = 0
close(3)                                = 0
stat("dmi.dmp", {st_mode=S_IFREG|0664, st_size=1755, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
stat("/usr/share/python-dmidecode/pymap.xml", {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
open("/usr/share/python-dmidecode/pymap.xml", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=49051, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f811bb15000
read(3, "<?xml version=\"1.0\" encoding=\"UT"..., 16384) = 16384
lseek(3, 0, SEEK_CUR)                   = 16384
lseek(3, 0, SEEK_SET)                   = 0
read(3, "<?xml version=\"1.0\" encoding=\"UT"..., 4096) = 4096
read(3, "ze\"/>\n      </Map>\n    </TypeMap"..., 4096) = 4096
read(3, "luetype=\"dict\">\n          <Map k"..., 4096) = 4096
read(3, "mory Module Size\"\n              "..., 4096) = 4096
read(3, "     <Map keytype=\"constant\" key"..., 4096) = 4096
brk(0x2350000)                          = 0x2350000
read(3, "nabled\"     valuetype=\"boolean\" "..., 4096) = 4096
read(3, "stant\" key=\"Data Start Offset\" v"..., 4096) = 4096
brk(0x2371000)                          = 0x2371000
read(3, "e=\"dict\">\n        <Map keytype=\""..., 4096) = 4096
read(3, "ct\">\n          <Map keytype=\"con"..., 4096) = 4096
read(3, "      valuetype=\"string\" value=\""..., 4096) = 4096
brk(0x2392000)                          = 0x2392000
read(3, "ing\" value=\"Description\"/>\n     "..., 4096) = 4096
read(3, "ement Device Threshold Data -->\n"..., 4096) = 3995
brk(0x23b3000)                          = 0x23b3000
read(3, "", 4096)                       = 0
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f811bb15000, 4096)            = 0
access("dmi.dmp", R_OK)                 = 0
open("dmi.dmp", O_RDONLY)               = 3
mmap(NULL, 32, PROT_READ, MAP_SHARED, 3, 0) = 0x7f811bb15000
munmap(0x7f811bb15000, 32)              = 0
close(3)                                = 0
open("dmi.dmp", O_RDONLY)               = 3
mmap(NULL, 1755, PROT_READ, MAP_SHARED, 3, 0) = 0x7f811bb15000
munmap(0x7f811bb15000, 1755)            = 0
close(3)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++

Comment 21 David Sommerseth 2011-01-06 15:53:37 UTC
Created attachment 472083 [details]
Patches fixing dmi_string() NULL issues

This is a new patch, which should solve the NULL issues we've seen related to dmi_string() in a much better way.

This patch includes the patch found in attachment #416844 [details] and a different solution for the attachment #471968 [details].

-----------------------------------------------------------------------
commit 7253bbeed7f6d00bd796019d79dc1fe0a805fa8e
Author: David Sommerseth <davids@redhat.com>
Date:   Wed May 26 15:39:19 2010 +0200

    Fixed an issue causing SEGV on some hardware when dmi_processor_id() is called
    
    The dmi_processor_id() function did not check the char *version pointer if it
    was NULL before doing strcmp().  On some hardware, *version will be NULL.


commit 10a2d8bd43934966dd842fd8f401f0d679d0d66a
Author: David Sommerseth <davids@redhat.com>
Date:   Thu Jan 6 13:44:25 2011 +0100

    Implemented dmixml_AddDMIstring()
    
    This function can be used instead of dmi_string() and
    dmixml_AddTextChild().  In those cases where dmi_string() returns
    NULL, this situation is handled more gracefully.  In addition of
    also handling "not specified" situations better as well.
    
    Signed-off-by: David Sommerseth <davids@redhat.com>


commit 734d025ce6503851447f5a3dd08b107425f8b515
Author: David Sommerseth <davids@redhat.com>
Date:   Thu Jan 6 13:47:42 2011 +0100

    Make use of dmixml_AddDMIstring() where possible
    
    This modifies the core DMI decoding to make use of the new
    dmixml_AddDMIstring() function instead of the older, more error prone
    approach of dmi_string() and dmixml_AddTextChild().
    
    Signed-off-by: David Sommerseth <davids@redhat.com>


commit d6987c53d3648d85e410ef81a343867e239eb960
Author: David Sommerseth <davids@redhat.com>
Date:   Thu Jan 6 15:56:24 2011 +0100

    Harden dmi_string() calls with better NULL checks
    
    This patch fixes more potential issues where dmi_string() results
    was not necessarily checked for NULL, which potentially could lead
    to SEGV issues.
    
    Signed-off-by: David Sommerseth <davids@redhat.com>
-----------------------------------------------------------------------

All these patches are sent upstream and commit 7253bbeed7f6d00bd796019d79dc1fe0a805fa8e is already accepted and can be found in python-dmidecode-3.10.13.


Note You need to log in before you can comment on or make changes to this bug.