signal-composer crashes (libc detects buffer overflow)

Theo BUENO via automotive-discussions <automotive-discussions@xxxxxxxxxxxxxxxxxxxxxxxxx> · Tue, 2 Apr 2019 12:52:37 +0000

agl:/usr/local/lib/systemd/system# gdb /usr/bin/afb-daemon
GNU gdb (GDB) 8.0
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-poky-linux-gnueabi".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/afb-daemon...(no debugging symbols found)...done.

(gdb) handle SIGILL nostop noprint
Signal        Stop	Print	Pass to program	Description
SIGILL        No	No	Yes		Illegal instruction

(gdb) run --name afbd-signal-composer@6.99 --rootdir=/var/local/lib/afm/applications/signal-composer/6.99  --workdir=/home/0/app-data/signal-composer --no-httpd --ws-client=unix:/run/user/0/apis/ws/low-can --ws-client=unix:/run/user/0/apis/ws/gps --binding=/var/local/lib/afm/applications/signal-composer/6.99/lib/afb-signal-composer.so --ws-server=sd:signal-composer
Starting program: /usr/bin/afb-daemon --name afbd-signal-composer@6.99 --rootdir=/var/local/lib/afm/applications/signal-composer/6.99  --workdir=/home/0/app-data/signal-composer --no-httpd --ws-client=unix:/run/user/0/apis/ws/low-can --ws-client=unix:/run/user/0/apis/ws/gps --binding=/var/local/lib/afm/applications/signal-composer/6.99/lib/afb-signal-composer.so --ws-server=sd:signal-composer
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".
WARNING: [API signal-composer] Plugin multiple instances in searchpath will use /var/local/lib/afm/applications/signal-composer/6.99/lib/../var/unit-conversion.lua [/usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/ctl-utilities/ctl-lib/ctl-plugin.c:246,LoadFoundPlugins]
WARNING: [API signal-composer] Plugin multiple instances in searchpath will use /var/local/lib/afm/applications/signal-composer/6.99/lib/../lib/plugins/gps.ctlso [/usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/ctl-utilities/ctl-lib/ctl-plugin.c:246,LoadFoundPlugins]
WARNING: [API signal-composer] Plugin multiple instances in searchpath will use /var/local/lib/afm/applications/signal-composer/6.99/lib/../lib/plugins/builtin.ctlso [/usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/ctl-utilities/ctl-lib/ctl-plugin.c:246,LoadFoundPlugins]
*** buffer overflow detected ***: afbd-signal-composer@6.99 terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at /usr/src/debug/glibc/2.26-r0/git/sysdeps/unix/sysv/linux/raise.c:51
51	}

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at /usr/src/debug/glibc/2.26-r0/git/sysdeps/unix/sysv/linux/raise.c:51
#1  0x76bcfccc in __GI_abort () at /usr/src/debug/glibc/2.26-r0/git/stdlib/abort.c:90
#2  0x76c07a24 in __libc_message (action=(do_abort | do_backtrace), fmt=<optimized out>)
    at /usr/src/debug/glibc/2.26-r0/git/sysdeps/posix/libc_fatal.c:181
#3  0x76c82518 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true, 
    msg=0x76cc2b68 "buffer overflow detected") at /usr/src/debug/glibc/2.26-r0/git/debug/fortify_fail.c:33
#4  0x76c82564 in __GI___fortify_fail (msg=<optimized out>)
    at /usr/src/debug/glibc/2.26-r0/git/debug/fortify_fail.c:44
#5  0x76c806f4 in __GI___chk_fail () at /usr/src/debug/glibc/2.26-r0/git/debug/chk_fail.c:28
#6  0x76c7fab0 in __strcpy_chk (dest=0x1 <error: Cannot access memory at address 0x1>, 
    src=0x7effed68 "txc-binding/vehicle_speed", destlen=1993091944)
    at /usr/src/debug/glibc/2.26-r0/git/debug/strcpy_chk.c:30
#7  0x0042eb4c in globset_add ()
#8  0x00417280 in afb_export_event_handler_add ()
#9  0x764558a8 in afb_api_event_handler_add (closure=<optimized out>, 
    callback=0x76453cbc <SourceAPI::onSignalEvents(void*, char const*, json_object*, afb_api*)>, 
    pattern=<optimized out>, api=<optimized out>) at /usr/include/afb/afb-api-x3.h:778
#10 SourceAPI::addSignal (this=0x7effeef4, this@entry=0x76ffea58 <__stack_chk_guard>, id=..., event=..., 
    depends=..., retention=retention@entry=30, unit=..., metadata=0x0, frequency=0, onReceived=0x471fa8, 
    onReceived@entry=0x7effeeb0, getSignalsArgs=0x487830)
    at /usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/signal-composer-binding/source.cpp:148
#11 0x7644fb1c in Composer::loadOneSignal (this=this@entry=0x470778, apihandle=apihandle@entry=0x470598, 
    signalJ=<optimized out>)
    at /usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/signal-composer-binding/signal-composer.cpp:330
#12 0x764501f4 in Composer::loadSignals (apihandle=0x470598, section=<optimized out>, signalsJ=0x47e680)
    at /usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/signal-composer-binding/signal-composer.cpp:351
#13 0x7645ced4 in CtlLoadSections (apiHandle=apiHandle@entry=0x470598, ctlHandle=0x470bf8, sections=<optimized out>)
    at /usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/ctl-utilities/ctl-lib/ctl-config.c:331
#14 0x7644e928 in Composer::loadConfig (this=<optimized out>, api=api@entry=0x470598, filepath=...)
    at /usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/signal-composer-binding/signal-composer.cpp:447
#15 0x7644d050 in loadConf (api=0x470598)
    at /usr/src/debug/agl-service-signal-composer/7.90.0-r0/git/signal-composer-binding/signal-composer-binding.cpp:255
#16 0x004102ec in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) 