[Bug 586112] New: Sax2 fails with buffer overflow message
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c0 Summary: Sax2 fails with buffer overflow message Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: SaX2 AssignedTo: bnc-team-xorg-bugs@forge.provo.novell.com ReportedBy: linxt@comcast.net QAContact: sax2-maintainer-bugs@forge.provo.novell.com Found By: --- Blocker: --- Created an attachment (id=346975) --> (http://bugzilla.novell.com/attachment.cgi?id=346975) copies of log files and error message User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.0) Gecko/20100115 SUSE/3.6.0-1.8 Firefox/3.6 Attempted to run Sax2 from start menu. Root prompt popup asked for password. Supplied password and Sax2 started to load going to blank screen with suse icon in upper left corner and blinking cursor near lower left corner spinning. After some time, pressed enter and root login console appeared. Tried to run Sax2 from console resulted in same behaviour as above. Tried to run Sax2 in a root terminal resulted in an error message about buffer overflow and two files (devices) not found. See attached error report. Dell Studio 1745, Intel Mobile GM45 express chipset, Intel Mobile 4 series graphic controller, MC13K173WD1 lcd monitor, 4GB RAM Reproducible: Always Steps to Reproduce: 1.Attempt to run Sax2 from either start menu or root terminal 2.Provide root password 3.Sax2 fails with attached error message Actual Results: Sax2 fails to start claiming buffer overflow Expected Results: Sax2 to start and reconfigure display resolution -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c1 Stefan Dirsch <sndirsch@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED AssignedTo|bnc-team-xorg-bugs@forge.pr |sndirsch@novell.com |ovo.novell.com | --- Comment #1 from Stefan Dirsch <sndirsch@novell.com> 2010-03-07 15:06:33 UTC --- Maybe this can be reproduced. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c2 --- Comment #2 from Stefan Dirsch <sndirsch@novell.com> 2010-03-18 06:50:17 UTC --- Looks like this happens in sysp (part of sax2). # sudo sysp -s xstuff *** buffer overflow detected ***: sysp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fdebafe5a37] /lib64/libc.so.6(+0xe5850)[0x7fdebafe3850] /lib64/libc.so.6(+0xe4e5b)[0x7fdebafe2e5b] /lib64/libc.so.6(__snprintf_chk+0x7a)[0x7fdebafe2d2a] sysp[0x4505ed] sysp[0x43d09c] sysp[0x40c96c] sysp[0x40d170] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fdebaf1cbdd] sysp[0x404b69] ======= Memory map: ======== [...] Maybe this is related to the runtime malloc check we've now enabled by default. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c3 --- Comment #3 from Stefan Dirsch <sndirsch@novell.com> 2010-03-25 01:48:21 UTC --- Buffer overflow appears to happen here: sysp/lib/hw/monitor.c:MonitorGetData() 174 snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c4 Stefan Dirsch <sndirsch@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #4 from Stefan Dirsch <sndirsch@novell.com> 2010-03-27 12:38:07 UTC --- Worked around for now: sax2.changes: ------------------------------------------------------------------- Sat Mar 27 13:06:39 CET 2010 - sndirsch@suse.de - switch to gcc 4.3 for now to fix buffer overflows in sysp (bnc #586112) 35894 State:new By:sndirsch When:2010-03-27T13:36:20 submit: X11:Utilities/sax2 -> openSUSE:Factory Descr: 'latest translation fixes; switch to gcc 4.3 for now to fix buffer overflows in sysp (bnc #586112)' If anybody would like to fix it for real, please go ahead! -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c5 Stefan Dirsch <sndirsch@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lee_matheson@hotmail.com --- Comment #5 from Stefan Dirsch <sndirsch@novell.com> 2010-03-27 16:21:26 UTC --- *** Bug 591660 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=591660 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c6 Ruediger Oertel <ro@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |ro@novell.com Resolution|FIXED | --- Comment #6 from Ruediger Oertel <ro@novell.com> 2010-04-05 22:53:30 UTC --- hey, funny code: sprintf(display->ddc,"%c",'\0'); snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) ); toUpper (display->ddc); okay, first we write a 0 byte to display->ddc then we take the strlen of display->ddc, which is 0 so we try to write "-1" bytes to display->ddc from the vendor-id and a hexcode from the device id. what was this code really intended to do ? let's try this: snprintf(display->ddc, sizeof(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) ); // make sure its null terminated sprintf((display->ddc)+strlen(display->ddc),"%c",'\0'); toUpper (display->ddc); -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c7 --- Comment #7 from Ruediger Oertel <ro@novell.com> 2010-04-06 00:18:55 UTC --- but I don't get too much further there since libxf86config is broken (mail sent to xorg-devel) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c Stefan Dirsch <sndirsch@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED Summary|Sax2 fails with buffer |Sax2 fails with buffer |overflow message |overflow message / Build | |fails with undefined | |symbol: xf86CheckBoolOption -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c8 --- Comment #8 from Stefan Dirsch <sndirsch@novell.com> 2010-04-06 01:11:14 UTC --- (In reply to comment #7)
but I don't get too much further there since libxf86config is broken (mail sent to xorg-devel)
http://lists.x.org/archives/xorg-devel/2010-April/006869.html -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c9 --- Comment #9 from Ruediger Oertel <ro@novell.com> 2010-04-06 09:45:59 UTC --- argh, comment 6 is nonsense as well ... sprintf((display->ddc)+strlen(display->ddc),"%c",'\0'); strlen would only work if already null-terminated ... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c10 --- Comment #10 from Ruediger Oertel <ro@novell.com> 2010-04-06 10:14:05 UTC --- currently using: --- sysp/lib/hw/monitor.c +++ sysp/lib/hw/monitor.c @@ -58,6 +58,7 @@ unsigned portID = 0; unsigned i = 0; char buf[256] = ""; + int id_length = 0; //int vt_orig = getvt(); //chvt (1); @@ -170,10 +171,16 @@ //=================================== // Save Monitor DDC ID ... //----------------------------------- - sprintf(display->ddc,"%c",'\0'); - snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", + snprintf(display->ddc, sizeof(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) ); + + // make sure its null terminated + id_length = strlen(vend_id2str(hd->vendor.id)) + 4 + 1; + if (id_length > (sizeof(display->ddc) - 1)) + id_length = sizeof(display->ddc) - 1; + sprintf((display->ddc)+id_length,"%c",'\0'); + toUpper (display->ddc); //=================================== // Save Monitor DisplaySize + Res -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c11 --- Comment #11 from Stefan Dirsch <sndirsch@novell.com> 2010-04-06 10:50:05 UTC --- Rudi, snprintf writes the string *including* the trailing trailing null byte ('\0'). What about ? - sprintf(display->ddc,"%c",'\0'); - snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", - vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) - ); + snprintf(display->ddc, sizeof(display->ddc), "%s%04x", + vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) + ); -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c12 --- Comment #12 from Ruediger Oertel <ro@novell.com> 2010-04-06 17:12:54 UTC --- yep, forgot that snprintf guarantees null-termination. looks good. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c Stefan Dirsch <sndirsch@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P2 - High -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c13 Stefan Dirsch <sndirsch@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #13 from Stefan Dirsch <sndirsch@novell.com> 2010-04-07 10:59:35 UTC --- (In reply to comment #7)
but I don't get too much further there since libxf86config is broken (mail sent to xorg-devel)
Fixed/workarounded in xorg-x11-server now: ------------------------------------------------------------------- Tue Apr 6 20:48:21 CEST 2010 - ro@suse.de - fix libxf86config (resolve references) (In reply to comment #12)
yep, forgot that snprintf guarantees null-termination. looks good.
Fixed in sax2 now. ------------------------------------------------------------------- Wed Apr 7 00:02:38 CEST 2010 - sndirsch@suse.de - likely fixed buffer overflow in sysp (bnc #586112) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com