[Bug 639111] New: iwevent crash
https://bugzilla.novell.com/show_bug.cgi?id=639111 https://bugzilla.novell.com/show_bug.cgi?id=639111#c0 Summary: iwevent crash Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: koenig@linux.de QAContact: qa@suse.de Found By: --- Blocker: --- iwevent crashed with the following message: 05:36:26.106283 wlan0 New Access Point/Cell address:Not-Associated 05:36:26.106334 wlan0 Set ESSID:off/any 05:36:28.296320 wlan0 Scan request completed 05:36:35.554483 wlan0 Scan request completed 05:36:35.556903 wlan0 Set ESSID:off/any 05:36:35.556928 wlan0 Set Mode:Managed 05:36:35.556941 wlan0 Set Frequency:2.437 GHz (Channel 6) 05:36:35.556967 wlan0 Set ESSID:"context" 05:36:35.593222 wlan0 Association Response IEs:010882848B962430486C32040C1218602D1A1C181AFFFFFF00000000000000D80007000000000000000000003D1606081500000000000000000000000000000 *** stack smashing detected ***: /usr/sbin/iwevent terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fc2d8e13067] /lib64/libc.so.6(__fortify_fail+0x0)[0x7fc2d8e13030] /usr/sbin/iwevent[0x402131] /usr/sbin/iwevent[0x402265] /usr/sbin/iwevent[0x4026a2] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fc2d8d4ab7d] /usr/sbin/iwevent[0x401499] ======= Memory map: ======== 00400000-00403000 r-xp 00000000 fd:06 1279932 /usr/sbin/iwevent 00603000-00604000 r--p 00003000 fd:06 1279932 /usr/sbin/iwevent 00604000-00605000 rw-p 00004000 fd:06 1279932 /usr/sbin/iwevent 00605000-00626000 rw-p 00000000 00:00 0 [heap] 7fc2d8b16000-7fc2d8b2b000 r-xp 00000000 fd:06 164073 /lib64/libgcc_s.so.1 7fc2d8b2b000-7fc2d8d2a000 ---p 00015000 fd:06 164073 /lib64/libgcc_s.so.1 7fc2d8d2a000-7fc2d8d2b000 r--p 00014000 fd:06 164073 /lib64/libgcc_s.so.1 7fc2d8d2b000-7fc2d8d2c000 rw-p 00015000 fd:06 164073 /lib64/libgcc_s.so.1 7fc2d8d2c000-7fc2d8e82000 r-xp 00000000 fd:06 542407 /lib64/libc-2.11.2.so 7fc2d8e82000-7fc2d9082000 ---p 00156000 fd:06 542407 /lib64/libc-2.11.2.so 7fc2d9082000-7fc2d9086000 r--p 00156000 fd:06 542407 /lib64/libc-2.11.2.so 7fc2d9086000-7fc2d9087000 rw-p 0015a000 fd:06 542407 /lib64/libc-2.11.2.so 7fc2d9087000-7fc2d908c000 rw-p 00000000 00:00 0 7fc2d908c000-7fc2d90e2000 r-xp 00000000 fd:06 542631 /lib64/libm-2.11.2.so 7fc2d90e2000-7fc2d92e1000 ---p 00056000 fd:06 542631 /lib64/libm-2.11.2.so 7fc2d92e1000-7fc2d92e2000 r--p 00055000 fd:06 542631 /lib64/libm-2.11.2.so 7fc2d92e2000-7fc2d92e3000 rw-p 00056000 fd:06 542631 /lib64/libm-2.11.2.so 7fc2d92e3000-7fc2d92eb000 r-xp 00000000 fd:06 350278 /usr/lib64/libiw.so.30 7fc2d92eb000-7fc2d94ea000 ---p 00008000 fd:06 350278 /usr/lib64/libiw.so.30 7fc2d94ea000-7fc2d94eb000 r--p 00007000 fd:06 350278 /usr/lib64/libiw.so.30 7fc2d94eb000-7fc2d94ec000 rw-p 00008000 fd:06 350278 /usr/lib64/libiw.so.30 7fc2d94ec000-7fc2d950b000 r-xp 00000000 fd:06 540714 /lib64/ld-2.11.2.so 7fc2d96aa000-7fc2d96ad000 rw-p 00000000 00:00 0 7fc2d9708000-7fc2d970a000 rw-p 00000000 00:00 0 7fc2d970a000-7fc2d970b000 r--p 0001e000 fd:06 540714 /lib64/ld-2.11.2.so 7fc2d970b000-7fc2d970c000 rw-p 0001f000 fd:06 540714 /lib64/ld-2.11.2.so 7fc2d970c000-7fc2d970d000 rw-p 00000000 00:00 0 7fff96dba000-7fff96ddc000 rw-p 00000000 00:00 0 [stack] 7fff96dff000-7fff96e00000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted (core dumped) gdb output of the core Core was generated by `/usr/sbin/iwevent'. Program terminated with signal 6, Aborted. #0 0x00007fc2d8d5e9e5 in ?? () (gdb) where #0 0x00007fc2d8d5e9e5 in ?? () #1 0x00007fc2d8d5fee6 in ?? () #2 0x00007fff96dd6780 in ?? () #3 0x00007fff96dd6770 in ?? () #4 0x00007fff96ddae93 in ?? () #5 0x0000000000000011 in ?? () #6 0x00007fc2d8e4c74e in ?? () #7 0x0000000000000003 in ?? () #8 0x00007fff96dd677a in ?? () #9 0x0000000000000006 in ?? () #10 0x00007fc2d8e4c752 in ?? () #11 0x0000000000000002 in ?? () #12 0x00007fff96dd676e in ?? () #13 0x0000000000000002 in ?? () #14 0x00007fc2d8e4a4ee in ?? () #15 0x0000000000000001 in ?? () #16 0x00007fc2d8e4c74e in ?? () #17 0x0000000000000003 in ?? () #18 0x00007fff96dd6774 in ?? () #19 0x000000000000000c in ?? () #20 0x00007fc2d8e4c752 in ?? () #21 0x0000000000000002 in ?? () #22 0x0000000000000020 in ?? () #23 0x0000000000000000 in ?? () (gdb) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c1
--- Comment #1 from Harald Koenig
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c
wei wang
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c2
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c3
Harald Koenig
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c4
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c5
Harald Koenig
Harald,
The interface __stack_chk_fail() shall abort the function that called it with a message that a stack overflow has been detected.
So I think it's caused by print_event_stream. Do you have another AP? Is it crash for other APs?
I tried in my laptop, it's not crash.
correct. I'm on a TeX conference right now and there are multiple APs around, and only connecting to one of them (essid "context") will crash iwevent, all others seem to be fine. how can I get/provide more information for that AP ? I set a break point to print_event_stream() and stepped through that funtion using "n"ext in gdb. the crash happens after leaving print_event_stream() : (gdb) Continuing. 10:00:43.328730 wlan0 Set ESSID:"context" Breakpoint 1, print_event_stream (ifindex=3, data=0x7fffffffb790 "\265", len=181) at iwevent.c:505 505 { (gdb) Continuing. 09:54:08.527395 wlan0 Set ESSID:"context" Breakpoint 1, print_event_stream (ifindex=3, data=0x7fffffffb790 "\265", len=181) at iwevent.c:505 505 { (gdb) n 516 wireless_data = iw_get_interface_data(ifindex); (gdb) 505 { (gdb) 516 wireless_data = iw_get_interface_data(ifindex); (gdb) 521 gettimeofday(&recv_time, &tz); (gdb) 522 iw_print_timeval(buffer, sizeof(buffer), &recv_time, &tz); (gdb) 524 iw_init_event_stream(&stream, data, len); (gdb) 522 iw_print_timeval(buffer, sizeof(buffer), &recv_time, &tz); (gdb) 508 int i = 0; (gdb) 522 iw_print_timeval(buffer, sizeof(buffer), &recv_time, &tz); (gdb) 524 iw_init_event_stream(&stream, data, len); (gdb) 533 printf("%s %-8.16s ", buffer, wireless_data->ifname); (gdb) 537 print_event_token(&iwe, (gdb) 533 printf("%s %-8.16s ", buffer, wireless_data->ifname); (gdb) 537 print_event_token(&iwe, (gdb) 528 ret = iw_extract_event_stream(&stream, &iwe, (gdb) 530 if(ret != 0) (gdb) 528 ret = iw_extract_event_stream(&stream, &iwe, (gdb) 530 if(ret != 0) (gdb) 532 if(i++ == 0) (gdb) 533 printf("%s %-8.16s ", buffer, wireless_data->ifname); (gdb) 536 if(ret > 0) (gdb) 537 print_event_token(&iwe, (gdb) 09:54:14.080828 wlan0 Association Response IEs:010882848B962430486C32040C1218602D1A1C181AFFFFFF00000000000000D80007000000000000000000003D160B001700000000000000000000000000000 542 fflush(stdout); (gdb) n 532 if(i++ == 0) (gdb) n 542 fflush(stdout); (gdb) n 528 ret = iw_extract_event_stream(&stream, &iwe, (gdb) n 530 if(ret != 0) (gdb) 528 ret = iw_extract_event_stream(&stream, &iwe, (gdb) 530 if(ret != 0) (gdb) 547 return(0); (gdb) 548 } (gdb) *** stack smashing detected ***: /usr/sbin/iwevent terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7ffff7705067] /lib64/libc.so.6(__fortify_fail+0x0)[0x7ffff7705030] /usr/sbin/iwevent[0x402131] /usr/sbin/iwevent[0x402265] /usr/sbin/iwevent[0x4026a2] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7ffff763cb7d] /usr/sbin/iwevent[0x401499] stepping through iw_extract_event_stream() does not give me a clue either: 528 ret = iw_extract_event_stream(&stream, &iwe, (gdb) s iw_extract_event_stream (stream=0x7fffffffb450, iwe=0x7fffffffb6e0, we_version=22) at iwlib.c:2850 2850 { (gdb) 2859 if((stream->current + IW_EV_LCP_PK_LEN) > stream->end) (gdb) 2860 return(0); (gdb) 3055 } (gdb) print_event_stream (ifindex=<value optimized out>, data=<value optimized out>, len=<value optimized out>) at iwevent.c:530 530 if(ret != 0) (gdb) 528 ret = iw_extract_event_stream(&stream, &iwe, (gdb) 530 if(ret != 0) (gdb) 547 return(0); (gdb) 548 } (gdb) *** stack smashing detected ***: /usr/sbin/iwevent terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7ffff7705067] /lib64/libc.so.6(__fortify_fail+0x0)[0x7ffff7705030] -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c6
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c7
Harald Koenig
https://api.opensuse.org/build/home:BinLi:branches:openSUSE:11.3:Update:Test...
https://api.opensuse.org/build/home:BinLi:branches:openSUSE:11.3:Update:Test...
I add a debug patch to output the length of data.
--- wireless_tools.30.orig/iwevent.c +++ wireless_tools.30/iwevent.c @@ -512,6 +512,7 @@ print_event_stream(int ifindex, struct timezone tz; struct wireless_iface * wireless_data;
+ printf("strlen data is %d, len is %d.\n", strlen(data), len); /* Get data from cache */ wireless_data = iw_get_interface_data(ifindex); if(wireless_data == NULL)
Could you try it?
the 32bit rpm doesn't "perfectly" fit into my 64bit system, but there is --nodeps et voila ;-) with your 32 bit iwevent image I get two more lines of output before it crashes: while the 64bit prog crashes after 'Set ESSID:"context"' your 32bit bianry prints 'Association Response IEs:...' and 'New Access Point/Cell address' : 12:11:36.053683 wlan0 Set Frequency:2.462 GHz (Channel 11) strlen data is 1, len is 15. 12:11:36.053737 wlan0 Set ESSID:"context" Associated with 00:21:29:d3:8c:86 CTRL-EVENT-CONNECTED - Connection to 00:21:29:d3:8c:86 completed (reauth) [id=1 id_str=] strlen data is 1, len is 173. 12:11:36.065292 wlan0 Association Response IEs:010882848B962430486C32040C1218602D1A1C181AFFFFFF00000000000000D80007000000000000000000003D160B001700000000000000000000000000000 strlen data is 1, len is 20. 12:11:36.065348 wlan0 New Access Point/Cell address:00:21:29:D3:8C:86 Breakpoint 1, 0xf7ecb690 in __stack_chk_fail () from /lib/libc.so.6 (gdb) c Continuing. *** stack smashing detected ***: /usr/sbin/iwevent terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x40)[0xf7ecb6f0] /lib/libc.so.6(+0xea6a7)[0xf7ecb6a7] /usr/sbin/iwevent[0x804a082] /usr/sbin/iwevent[0x804a38c] /lib/libc.so.6(__libc_start_main+0xfe)[0xf7df7c0e] /usr/sbin/iwevent[0x8048f71] ======= Memory map: ======== for the 64bit binary len is 181 after output of 'Set ESSID:"context"' and strlen(data) is 1 too (checked in gdb) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c8
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c9
Harald Koenig
Harald,
Could you download the sourcecode to debug it? I wanna make sure which function cause the stack overflow, iw_extract_event_stream or print_event_token?
You can comment the print_event_token first, then try again. Then try another one.
Is it convenient?
ACK! 1st: a plain "make" in the build dir made the problem vanish because then the gcc option "-fstack-protector" from the "rpm -bp ..." was missing :-( with -fstack-protector I was able to reproduce/debug and find the real problem: iw_hexdump() does not honor it's parameter "buflen" and thus trashes the stack when it gets called here case IWEVASSOCRESPIE: printf("Association Response IEs:%s\n", with buflen==128 and datalen==165 (so needing 330+1 bytes buffer space for the hex dump...) RTFM taught me that the snprintf() will return 2 even for size==0 or size<0 showing that the output was clipped if return >= size)! here is my patch to avoid a) any buffer overflow and b) show the whole hex dump for that AP packet (see below). -------------------------------------------------------------- wireless_tools.30 > diff -u iwevent.c{~,} --- iwevent.c~ 2008-05-16 01:18:52.000000000 +0200 +++ iwevent.c 2010-09-15 10:38:08.000000000 +0200 @@ -285,8 +285,10 @@ size_t i; char * pos = buf; - for(i = 0; i < datalen; i++) + for(i = 0; i < datalen; i++) { + if (buf + buflen - pos < 2+1) break; pos += snprintf(pos, buf + buflen - pos, "%02X", data[i]); + } return buf; } @@ -299,7 +301,7 @@ struct iw_range * iw_range, /* Range info */ int has_range) { - char buffer[128]; /* Temporary buffer */ + char buffer[512]; /* Temporary buffer */ char buffer2[30]; /* Temporary buffer */ char * prefix = (IW_IS_GET(event->cmd) ? "New" : "Set"); ------------------------------------------------------------- the correct output should look like this: 08:38:21.512101 wlan0 Set ESSID:"context" 08:38:21.746297 wlan0 Association Response IEs:010882848B962430486C32040C1218602D1A1C181AFFFFFF00000000000000D80007000000000000000000003D160B001700000000000000000000000000000000000000DD090010180212F4010000DD180050F2020101000003A4000027A4000042435E0062322F00DD1E00904C331C181AFFFF000000000000000000000000000000000000000000DD1A00904C340B001700000000000000000000000000000000000000 08:38:21.746470 wlan0 New Access Point/Cell address:00:21:29:D3:8C:86 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c10
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c11
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c12
Christian Dengler
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c13
--- Comment #13 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c14
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c15
Christian Dengler
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c16
--- Comment #16 from Christian Dengler
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c17
Li Bin
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c18
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c19
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=639111
https://bugzilla.novell.com/show_bug.cgi?id=639111#c19
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com