touch-packages team mailing list archive

Thread
Date
[Bug 1011477] Re: [SRU] liblockfile buffer overflow with high pid numbers

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Rolf Leggewie <1011477@xxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Dec 2014 05:03:42 -0000
Reply-to: Bug 1011477 <1011477@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
quantal has seen the end of its life and is no longer receiving any
updates. Marking the quantal task for this ticket as "Won't Fix".

** Changed in: liblockfile (Ubuntu Quantal)
       Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to liblockfile in Ubuntu.
https://bugs.launchpad.net/bugs/1011477

Title:
  [SRU] liblockfile buffer overflow with high pid numbers

Status in liblockfile package in Ubuntu:
  Fix Released
Status in liblockfile source package in Precise:
  Fix Released
Status in liblockfile source package in Quantal:
  Won't Fix

Bug description:
  on our system (Ubuntu-Server 10.04) we set "sysctl -w kernel.pid_max =
  4194304". When the pid counter is high, currently >3000000, then cron-
  apt terminates with a buffer overflow message:

  root@sn:~# cron-apt
  *** buffer overflow detected ***: dotlockfile terminated
  ======= Backtrace: =========
  /lib/libc.so.6(__fortify_fail+0x37)[0x7f2ae90547e7]
  /lib/libc.so.6(+0xfe6a0)[0x7f2ae90536a0]
  /lib/libc.so.6(+0xfdb09)[0x7f2ae9052b09]
  /lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7f2ae8fcaf6c]
  /lib/libc.so.6(_IO_vfprintf+0x670)[0x7f2ae8f9aa10]
  /lib/libc.so.6(__vsprintf_chk+0x99)[0x7f2ae9052ba9]
  /lib/libc.so.6(__sprintf_chk+0x7f)[0x7f2ae9052aef]
  dotlockfile[0x401e6e]
  dotlockfile[0x40198a]
  /lib/libc.so.6(__libc_start_main+0xfd)[0x7f2ae8f73c4d]
  dotlockfile[0x4011f9]
  ======= Memory map: ========
  00400000-00403000 r-xp 00000000 fb:02 2104182                            /usr/bin/dotlockfile
  00602000-00603000 r--p 00002000 fb:02 2104182                            /usr/bin/dotlockfile
  00603000-00604000 rw-p 00003000 fb:02 2104182                            /usr/bin/dotlockfile
  01f80000-01fa1000 rw-p 00000000 00:00 0                                  [heap]
  7f2ae8503000-7f2ae8519000 r-xp 00000000 fb:02 131128                     /lib/libgcc_s.so.1
  7f2ae8519000-7f2ae8718000 ---p 00016000 fb:02 131128                     /lib/libgcc_s.so.1
  7f2ae8718000-7f2ae8719000 r--p 00015000 fb:02 131128                     /lib/libgcc_s.so.1
  7f2ae8719000-7f2ae871a000 rw-p 00016000 fb:02 131128                     /lib/libgcc_s.so.1
  7f2ae871a000-7f2ae8726000 r-xp 00000000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f2ae8726000-7f2ae8925000 ---p 0000c000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f2ae8925000-7f2ae8926000 r--p 0000b000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f2ae8926000-7f2ae8927000 rw-p 0000c000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f2ae8927000-7f2ae8931000 r-xp 00000000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2ae8931000-7f2ae8b30000 ---p 0000a000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2ae8b30000-7f2ae8b31000 r--p 00009000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2ae8b31000-7f2ae8b32000 rw-p 0000a000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2ae8b32000-7f2ae8b49000 r-xp 00000000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2ae8b49000-7f2ae8d48000 ---p 00017000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2ae8d48000-7f2ae8d49000 r--p 00016000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2ae8d49000-7f2ae8d4a000 rw-p 00017000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2ae8d4a000-7f2ae8d4c000 rw-p 00000000 00:00 0
  7f2ae8d4c000-7f2ae8d54000 r-xp 00000000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f2ae8d54000-7f2ae8f53000 ---p 00008000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f2ae8f53000-7f2ae8f54000 r--p 00007000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f2ae8f54000-7f2ae8f55000 rw-p 00008000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f2ae8f55000-7f2ae90cf000 r-xp 00000000 fb:02 147402                     /lib/libc-2.11.1.so
  7f2ae90cf000-7f2ae92ce000 ---p 0017a000 fb:02 147402                     /lib/libc-2.11.1.so
  7f2ae92ce000-7f2ae92d2000 r--p 00179000 fb:02 147402                     /lib/libc-2.11.1.so
  7f2ae92d2000-7f2ae92d3000 rw-p 0017d000 fb:02 147402                     /lib/libc-2.11.1.so
  7f2ae92d3000-7f2ae92d8000 rw-p 00000000 00:00 0
  7f2ae92d8000-7f2ae92f8000 r-xp 00000000 fb:02 147370                     /lib/ld-2.11.1.so
  7f2ae94eb000-7f2ae94ee000 rw-p 00000000 00:00 0
  7f2ae94f5000-7f2ae94f7000 rw-p 00000000 00:00 0
  7f2ae94f7000-7f2ae94f8000 r--p 0001f000 fb:02 147370                     /lib/ld-2.11.1.so
  7f2ae94f8000-7f2ae94f9000 rw-p 00020000 fb:02 147370                     /lib/ld-2.11.1.so
  7f2ae94f9000-7f2ae94fa000 rw-p 00000000 00:00 0
  7fff43082000-7fff430a3000 rw-p 00000000 00:00 0                          [stack]
  7fff431ff000-7fff43200000 r-xp 00000000 00:00 0                          [vdso]
  ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
  Aborted
  root@sn:~# uname -a
  Linux sn 2.6.35-32-server #68~lucid1-Ubuntu SMP Wed Mar 28 18:33:00 UTC 2012 x86_64 GNU/Linux
  root@sn:~# ps
      PID TTY          TIME CMD
  3722057 pts/5    00:00:00 bash
  3925974 pts/5    00:00:00 ps
  root@sn:~# strace -f -o out cron-apt
  *** buffer overflow detected ***: dotlockfile terminated
  ======= Backtrace: =========
  /lib/libc.so.6(__fortify_fail+0x37)[0x7f27661f27e7]
  /lib/libc.so.6(+0xfe6a0)[0x7f27661f16a0]
  /lib/libc.so.6(+0xfdb09)[0x7f27661f0b09]
  /lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7f2766168f6c]
  /lib/libc.so.6(_IO_vfprintf+0x670)[0x7f2766138a10]
  /lib/libc.so.6(__vsprintf_chk+0x99)[0x7f27661f0ba9]
  /lib/libc.so.6(__sprintf_chk+0x7f)[0x7f27661f0aef]
  dotlockfile[0x401e6e]
  dotlockfile[0x40198a]
  /lib/libc.so.6(__libc_start_main+0xfd)[0x7f2766111c4d]
  dotlockfile[0x4011f9]
  ======= Memory map: ========
  00400000-00403000 r-xp 00000000 fb:02 2104182                            /usr/bin/dotlockfile
  00602000-00603000 r--p 00002000 fb:02 2104182                            /usr/bin/dotlockfile
  00603000-00604000 rw-p 00003000 fb:02 2104182                            /usr/bin/dotlockfile
  01a13000-01a34000 rw-p 00000000 00:00 0                                  [heap]
  7f27656a1000-7f27656b7000 r-xp 00000000 fb:02 131128                     /lib/libgcc_s.so.1
  7f27656b7000-7f27658b6000 ---p 00016000 fb:02 131128                     /lib/libgcc_s.so.1
  7f27658b6000-7f27658b7000 r--p 00015000 fb:02 131128                     /lib/libgcc_s.so.1
  7f27658b7000-7f27658b8000 rw-p 00016000 fb:02 131128                     /lib/libgcc_s.so.1
  7f27658b8000-7f27658c4000 r-xp 00000000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f27658c4000-7f2765ac3000 ---p 0000c000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f2765ac3000-7f2765ac4000 r--p 0000b000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f2765ac4000-7f2765ac5000 rw-p 0000c000 fb:02 147406                     /lib/libnss_files-2.11.1.so
  7f2765ac5000-7f2765acf000 r-xp 00000000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2765acf000-7f2765cce000 ---p 0000a000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2765cce000-7f2765ccf000 r--p 00009000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2765ccf000-7f2765cd0000 rw-p 0000a000 fb:02 147385                     /lib/libnss_nis-2.11.1.so
  7f2765cd0000-7f2765ce7000 r-xp 00000000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2765ce7000-7f2765ee6000 ---p 00017000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2765ee6000-7f2765ee7000 r--p 00016000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2765ee7000-7f2765ee8000 rw-p 00017000 fb:02 147369                     /lib/libnsl-2.11.1.so
  7f2765ee8000-7f2765eea000 rw-p 00000000 00:00 0
  7f2765eea000-7f2765ef2000 r-xp 00000000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f2765ef2000-7f27660f1000 ---p 00008000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f27660f1000-7f27660f2000 r--p 00007000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f27660f2000-7f27660f3000 rw-p 00008000 fb:02 147379                     /lib/libnss_compat-2.11.1.so
  7f27660f3000-7f276626d000 r-xp 00000000 fb:02 147402                     /lib/libc-2.11.1.so
  7f276626d000-7f276646c000 ---p 0017a000 fb:02 147402                     /lib/libc-2.11.1.so
  7f276646c000-7f2766470000 r--p 00179000 fb:02 147402                     /lib/libc-2.11.1.so
  7f2766470000-7f2766471000 rw-p 0017d000 fb:02 147402                     /lib/libc-2.11.1.so
  7f2766471000-7f2766476000 rw-p 00000000 00:00 0
  7f2766476000-7f2766496000 r-xp 00000000 fb:02 147370                     /lib/ld-2.11.1.so
  7f2766689000-7f276668c000 rw-p 00000000 00:00 0
  7f2766693000-7f2766695000 rw-p 00000000 00:00 0
  7f2766695000-7f2766696000 r--p 0001f000 fb:02 147370                     /lib/ld-2.11.1.so
  7f2766696000-7f2766697000 rw-p 00020000 fb:02 147370                     /lib/ld-2.11.1.so
  7f2766697000-7f2766698000 rw-p 00000000 00:00 0
  7fff3660b000-7fff3662c000 rw-p 00000000 00:00 0                          [stack]
  7fff36765000-7fff36766000 r-xp 00000000 00:00 0                          [vdso]
  ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
  Aborted

  When we switch back to a small pid number e.g. by "sysctl -w
  kernel.pid_max = 32768" cron-apt works again. The Problem also just
  occurs if the pid counter reached high values. If pid_max is set high
  but the counter is still low the problem doesn't show up.

  [Test Case]
  The overflow occurs when the decimal representation of the PID value is 7 characters or higher. So, set pid_max to a value that is 7 characters long, run through PIDs until we get one that is at least 7 characters (the while loop may take a long time), then create a lock file containing the PID (building the string containing the PID is where the overflow occurs). Watch for the `echo $BASHPID` and `cat ${lock}.lock` to print out the same PID number and make sure that it is at least 7 characters long.

  Note that this test case obviously depends on a bash'ism, so use bash
  or adjust it as necessary. :)

  $ lock=/var/lock/lockfile-create-test
  $ lockfile-remove $lock
  $ sudo sysctl -w kernel.pid_max=4194304
  $ while ([ $BASHPID -lt 1000000 ]); do continue; done
  $ (echo $BASHPID; lockfile-create $lock --use-pid; cat ${lock}.lock)

  [Regression Potential]
  Minimum. We've applied a patch to the same version of liblockfile in 13.04 and that has since been merged to debian with no reports of regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions