Hi Dave, I met stack smashing detection by glibc at read_string() then this patch is proposal. *** stack smashing detected ***: crash terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x4c)[0xfe12380] /lib/libc.so.6(__fortify_fail+0x0)[0xfe12334] ./crash[0x10147bf0] ./crash(display_sys_stats+0xcf8)[0x1011cd74] ./crash(main_loop+0x300)[0x10068960] ./crash(current_interp_command_loop+0x48)[0x1021ac2c] ./crash[0x1021bcc4] ./crash(catch_errors+0x84)[0x1021a0c4] ./crash[0x1021d37c] ./crash(catch_errors+0x84)[0x1021a0c4] ./crash(gdb_main+0x58)[0x1021d3e8] ./crash(gdb_main_entry+0x6c)[0x1021d490] ./crash(gdb_main_loop+0x3b4)[0x10130e5c] ./crash(main+0x38c0)[0x10068650] /lib/libc.so.6(+0x1f568)[0xfd36568] /lib/libc.so.6(+0x1f728)[0xfd36728] An failed vmalloc() including non terminated with NULLCHAR is root cause, but I think it is better to keep other utilities without killed. Thanks, Toshi
Date: Thu, 15 Mar 2012 11:50:18 +0900 Subject: [PATCH] Avoid libc possible stack smashing detection at read_string() Skip strcpy() in read_string() if count_buffer_chars() return 0. Even though vmalloc'd address translation can not work well, readmem() seemed to succeed with invalid data at read_string(). After that, libc's __stack_chk_fail() detects stack smashing cause of strcpy(buf, strbuf) without NULLCHAR at read_string(). *** stack smashing detected ***: crash terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x4c)[0xfe12380] /lib/libc.so.6(__fortify_fail+0x0)[0xfe12334] ./crash[0x10147bf0] ./crash(display_sys_stats+0xcf8)[0x1011cd74] ./crash(main_loop+0x300)[0x10068960] ./crash(current_interp_command_loop+0x48)[0x1021ac2c] ./crash[0x1021bcc4] ./crash(catch_errors+0x84)[0x1021a0c4] ./crash[0x1021d37c] ./crash(catch_errors+0x84)[0x1021a0c4] ./crash(gdb_main+0x58)[0x1021d3e8] ./crash(gdb_main_entry+0x6c)[0x1021d490] ./crash(gdb_main_loop+0x3b4)[0x10130e5c] ./crash(main+0x38c0)[0x10068650] /lib/libc.so.6(+0x1f568)[0xfd36568] /lib/libc.so.6(+0x1f728)[0xfd36728] Signed-off-by: Toshikazu Nakayama <nakayama.ts@xxxxxxxxxxxxxx> --- memory.c | 7 +++++-- 1 files changed, 5 insertions(+), 2 deletions(-) diff --git a/memory.c b/memory.c index 4ed8119..eaff155 100755 --- a/memory.c +++ b/memory.c @@ -11242,7 +11242,7 @@ read_string(ulong kvaddr, char *buf, int maxlen) char strbuf[MIN_PAGE_SIZE]; ulong kp; char *bufptr; - long cnt, size; + long cnt, size, found; BZERO(buf, maxlen); BZERO(strbuf, MIN_PAGE_SIZE); @@ -11250,6 +11250,7 @@ read_string(ulong kvaddr, char *buf, int maxlen) kp = kvaddr; bufptr = strbuf; size = maxlen; + found = 0; while (size > 0) { cnt = MIN_PAGE_SIZE - (kp & (MIN_PAGE_SIZE-1)); @@ -11261,13 +11262,15 @@ read_string(ulong kvaddr, char *buf, int maxlen) "readstring characters", QUIET|RETURN_ON_ERROR)) break; - if (count_buffer_chars(bufptr, NULLCHAR, cnt)) + if ((found = count_buffer_chars(bufptr, NULLCHAR, cnt))) break; kp += cnt; bufptr += cnt; size -= cnt; } + if (found == 0) + return 0; strcpy(buf, strbuf); return (strlen(buf)); -- 1.7.0.4
-- Crash-utility mailing list Crash-utility@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/crash-utility