Hi Dave,
I met stack smashing detection by glibc at read_string()
then this patch is proposal.
*** stack smashing detected ***: crash terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4c)[0xfe12380]
/lib/libc.so.6(__fortify_fail+0x0)[0xfe12334]
./crash[0x10147bf0]
./crash(display_sys_stats+0xcf8)[0x1011cd74]
./crash(main_loop+0x300)[0x10068960]
./crash(current_interp_command_loop+0x48)[0x1021ac2c]
./crash[0x1021bcc4]
./crash(catch_errors+0x84)[0x1021a0c4]
./crash[0x1021d37c]
./crash(catch_errors+0x84)[0x1021a0c4]
./crash(gdb_main+0x58)[0x1021d3e8]
./crash(gdb_main_entry+0x6c)[0x1021d490]
./crash(gdb_main_loop+0x3b4)[0x10130e5c]
./crash(main+0x38c0)[0x10068650]
/lib/libc.so.6(+0x1f568)[0xfd36568]
/lib/libc.so.6(+0x1f728)[0xfd36728]
An failed vmalloc() including non terminated with NULLCHAR is root cause,
but I think it is better to keep other utilities without killed.
Thanks,
Toshi
Date: Thu, 15 Mar 2012 11:50:18 +0900
Subject: [PATCH] Avoid libc possible stack smashing detection at read_string()
Skip strcpy() in read_string() if count_buffer_chars() return 0.
Even though vmalloc'd address translation can not work well,
readmem() seemed to succeed with invalid data at read_string().
After that, libc's __stack_chk_fail() detects stack smashing cause of
strcpy(buf, strbuf) without NULLCHAR at read_string().
*** stack smashing detected ***: crash terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4c)[0xfe12380]
/lib/libc.so.6(__fortify_fail+0x0)[0xfe12334]
./crash[0x10147bf0]
./crash(display_sys_stats+0xcf8)[0x1011cd74]
./crash(main_loop+0x300)[0x10068960]
./crash(current_interp_command_loop+0x48)[0x1021ac2c]
./crash[0x1021bcc4]
./crash(catch_errors+0x84)[0x1021a0c4]
./crash[0x1021d37c]
./crash(catch_errors+0x84)[0x1021a0c4]
./crash(gdb_main+0x58)[0x1021d3e8]
./crash(gdb_main_entry+0x6c)[0x1021d490]
./crash(gdb_main_loop+0x3b4)[0x10130e5c]
./crash(main+0x38c0)[0x10068650]
/lib/libc.so.6(+0x1f568)[0xfd36568]
/lib/libc.so.6(+0x1f728)[0xfd36728]
Signed-off-by: Toshikazu Nakayama <nakayama.ts@xxxxxxxxxxxxxx>
---
memory.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/memory.c b/memory.c
index 4ed8119..eaff155 100755
--- a/memory.c
+++ b/memory.c
@@ -11242,7 +11242,7 @@ read_string(ulong kvaddr, char *buf, int maxlen)
char strbuf[MIN_PAGE_SIZE];
ulong kp;
char *bufptr;
- long cnt, size;
+ long cnt, size, found;
BZERO(buf, maxlen);
BZERO(strbuf, MIN_PAGE_SIZE);
@@ -11250,6 +11250,7 @@ read_string(ulong kvaddr, char *buf, int maxlen)
kp = kvaddr;
bufptr = strbuf;
size = maxlen;
+ found = 0;
while (size > 0) {
cnt = MIN_PAGE_SIZE - (kp & (MIN_PAGE_SIZE-1));
@@ -11261,13 +11262,15 @@ read_string(ulong kvaddr, char *buf, int maxlen)
"readstring characters", QUIET|RETURN_ON_ERROR))
break;
- if (count_buffer_chars(bufptr, NULLCHAR, cnt))
+ if ((found = count_buffer_chars(bufptr, NULLCHAR, cnt)))
break;
kp += cnt;
bufptr += cnt;
size -= cnt;
}
+ if (found == 0)
+ return 0;
strcpy(buf, strbuf);
return (strlen(buf));
--
1.7.0.4
--
Crash-utility mailing list
Crash-utility@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/crash-utility
