shouldn't a non-privileged malformed sprintf crashes the kernel

From: Toralf FÃrster
Date: Sun Feb 17 2013 - 05:42:31 EST

This is the 2nd time in a row that a stable kernel (3.7.8 currently) crashes in such a way
that even the sys-rq key doesn't work any longer.
Found nothing in the log. The screen shot is here [1]. First time this issue was reported in [2].

The bug seems to be triggered by the BOINC client - I'm running the alpha version of it [3].

I'm wondering whether the sprintf issue discussed in [4] is the trigger for the bug
(I attached that message here b/c the BOINC devs doesn't allow just even read access
to the mail archive w/o registering).


@boinc_devs
IMO it would be helpful to store the pid of the BOINC clients to stdoutdae.txt too, or where can I find it ?



[1] http://ompldr.org/vaGh0MQ
[2] http://thread.gmane.org/gmane.linux.kernel/1438965
[3] https://boinc.berkeley.edu/dev/forum_thread.php?id=6698#46649
[4] http://lists.ssl.berkeley.edu/mailman/private/boinc_dev/2013-February/019545.html

--
MfG/Sincerely
Toralf FÃrster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
--- Begin Message --- Much of the code was written by students a decade ago.

-----Original Message-----
From: boinc_dev-bounces@xxxxxxxxxxxxxxxx [mailto:boinc_dev-bounces@xxxxxxxxxxxxxxxx] On Behalf Of Jeffrey Walton
Sent: Wednesday, February 13, 2013 8:01 PM
To: Toralf FÃrster
Cc: boinc_dev@xxxxxxxxxxxxxxxx
Subject: Re: [boinc_dev] add time stamp to a back trace

Hi All,

A quick post-mortem....

> /lib/libc.so.6(__fortify_fail+0x50)[0xb7438d20]
FORTIFY_SOURCES=2. Fortify Sources will use a 'safer' string or memory
function when the compiler can deduce buffer sizes.

> /lib/libc.so.6(__sprintf_chk+0x2d)[0xb743638d]
Sigh.... a banned function complicit in an overflow caught by Fortify Sources.

The compiler apparently deduced a buffer size, and changed
`sprint(buff, str,...)` to `snprint(buff, sizeof(buff), str,...)`

> Well, might not be too useful but nevertheless
The particular problem is irrelevant at the moment. However, the
general problem is much more interesting.

It appears there are problems in the engineering process. In the
general case, its the use of 'unsafe' functions (in 2013!).

Fix the engineering process by requiring use of 'safer' string and
memory functions. Then figure out where things went wrong on
particular instances of the problem.

Jeff

On Wed, Feb 13, 2013 at 3:11 PM, Toralf FÃrster <toralf.foerster@xxxxxx> wrote:
> Today I stumbled over a backtrace in stderrdae.txt.
> But I can't tell you which boinc client version was affected nor when it occurred.
> Is there any chance to add such info too to that file?
>
>
> Well, might not be too useful but nevertheless for the record here it is (stable Gentoo x86 + boinc client >= 7.0.36) :
>
>
> *** buffer overflow detected ***: /usr/bin/boinc_client terminated
> ======= Backtrace: =========
> /lib/libc.so.6(__fortify_fail+0x50)[0xb7438d20]
> /lib/libc.so.6(+0xe9cab)[0xb7436cab]
> /lib/libc.so.6(+0xe9398)[0xb7436398]
> /lib/libc.so.6(_IO_default_xsputn+0x9d)[0xb73b998d]
> /lib/libc.so.6(_IO_vfprintf+0x19f2)[0xb738ed12]
> /lib/libc.so.6(__vsprintf_chk+0xa6)[0xb7436446]
> /lib/libc.so.6(__sprintf_chk+0x2d)[0xb743638d]
> /usr/bin/boinc_client[0x80a3b14]
> /usr/bin/boinc_client[0x80a4602]
> /usr/bin/boinc_client[0x80a0575]
> /usr/bin/boinc_client[0x805f163]
> /usr/bin/boinc_client[0x80ae08b]
> /usr/bin/boinc_client[0x80ae2eb]
> /lib/libc.so.6(__libc_start_main+0xe7)[0xb73673d7]
> /usr/bin/boinc_client[0x804cd11]
> ======= Memory map: ========
> 08048000-0810d000 r-xp 00000000 08:13 3437176 /usr/bin/boinc_client
> 0810d000-0810e000 r--p 000c4000 08:13 3437176 /usr/bin/boinc_client
> 0810e000-0810f000 rw-p 000c5000 08:13 3437176 /usr/bin/boinc_client
> 0810f000-0813d000 rw-p 00000000 00:00 0
> 09dab000-09dcc000 rw-p 00000000 00:00 0 [heap]
> 09dcc000-0a280000 rw-p 00000000 00:00 0 [heap]
> 474bf000-475db000 r-xp 00000000 08:13 10110145 /usr/lib/libX11.so.6.3.0
> 475db000-475dc000 ---p 0011c000 08:13 10110145 /usr/lib/libX11.so.6.3.0
> 475dc000-475dd000 r--p 0011c000 08:13 10110145 /usr/lib/libX11.so.6.3.0
> 475dd000-475e0000 rw-p 0011d000 08:13 10110145 /usr/lib/libX11.so.6.3.0
> 475e2000-475fd000 r-xp 00000000 08:13 10112964 /usr/lib/libxcb.so.1.1.0
> 475fd000-475fe000 r--p 0001a000 08:13 10112964 /usr/lib/libxcb.so.1.1.0
> 475fe000-475ff000 rw-p 0001b000 08:13 10112964 /usr/lib/libxcb.so.1.1.0
> 47601000-47610000 r-xp 00000000 08:13 10111617 /usr/lib/libXext.so.6.4.0
> 47610000-47611000 r--p 0000e000 08:13 10111617 /usr/lib/libXext.so.6.4.0
> 47611000-47612000 rw-p 0000f000 08:13 10111617 /usr/lib/libXext.so.6.4.0
> 4ee60000-4ee62000 r-xp 00000000 08:13 10109772 /usr/lib/libXau.so.6.0.0
> 4ee62000-4ee63000 r--p 00001000 08:13 10109772 /usr/lib/libXau.so.6.0.0
> 4ee63000-4ee64000 rw-p 00002000 08:13 10109772 /usr/lib/libXau.so.6.0.0
> 4ee66000-4ef4a000 r-xp 00000000 08:13 10362047 /usr/lib/gcc/i686-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14
> 4ef4a000-4ef4b000 ---p 000e4000 08:13 10362047 /usr/lib/gcc/i686-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14
> 4ef4b000-4ef4f000 r--p 000e4000 08:13 10362047 /usr/lib/gcc/i686-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14
> 4ef4f000-4ef51000 rw-p 000e8000 08:13 10362047 /usr/lib/gcc/i686-pc-linux-gnu/4.5.3/libstdc++.so.6.0.14
> 4ef51000-4ef57000 rw-p 00000000 00:00 0
> 4ef59000-4ef72000 r-xp 00000000 08:13 10361900 /usr/lib/gcc/i686-pc-linux-gnu/4.5.3/libgcc_s.so.1
> 4ef72000-4ef73000 r--p 00018000 08:13 10361900 /usr/lib/gcc/i686-pc-linux-gnu/4.5.3/libgcc_s.so.1
> 4ef73000-4ef74000 rw-p 00019000 08:13 10361900 /usr/lib/gcc/i686-pc-linux-gnu/4.5.3/libgcc_s.so.1
> 4ef76000-4ef7a000 r-xp 00000000 08:13 10110771 /usr/lib/libXdmcp.so.6.0.0
> 4ef7a000-4ef7b000 r--p 00003000 08:13 10110771 /usr/lib/libXdmcp.so.6.0.0
> 4ef7b000-4ef7c000 rw-p 00004000 08:13 10110771 /usr/lib/libXdmcp.so.6.0.0
> 4f2ba000-4f2cd000 r-xp 00000000 08:13 9964114 /lib/libz.so.1.2.5
> 4f2cd000-4f2ce000 r--p 00012000 08:13 9964114 /lib/libz.so.1.2.5
> 4f2ce000-4f2cf000 rw-p 00013000 08:13 9964114 /lib/libz.so.1.2.5
> b72da000-b72de000 rw-p 00000000 00:00 0
> b72de000-b72e5000 r-xp 00000000 08:13 3672335 /lib/librt-2.14.1.so
> b72e5000-b72e6000 r--p 00006000 08:13 3672335 /lib/librt-2.14.1.so
> b72e6000-b72e7000 rw-p 00007000 08:13 3672335 /lib/librt-2.14.1.so
> b72e7000-b72f8000 r-xp 00000000 08:13 3672315 /lib/libresolv-2.14.1.so
> b72f8000-b72f9000 r--p 00010000 08:13 3672315 /lib/libresolv-2.14.1.so
> b72f9000-b72fa000 rw-p 00011000 08:13 3672315 /lib/libresolv-2.14.1.so
> b72fa000-b72fd000 rw-p 00000000 00:00 0
> b72fd000-b7309000 r-xp 00000000 08:13 10111738 /usr/lib/liblber-2.4.so.2.8.3
> b7309000-b730a000 r--p 0000b000 08:13 10111738 /usr/lib/liblber-2.4.so.2.8.3
> b730a000-b730b000 rw-p 0000c000 08:13 10111738 /usr/lib/liblber-2.4.so.2.8.3
> b730b000-b734b000 r-xp 00000000 08:13 10113872 /usr/lib/libldap-2.4.so.2.8.3
> b734b000-b734c000 r--p 00040000 08:13 10113872 /usr/lib/libldap-2.4.so.2.8.3
> b734c000-b734d000 rw-p 00041000 08:13 10113872 /usr/lib/libldap-2.4.so.2.8.3
> b734d000-b74a9000 r-xp 00000000 08:13 3672511 /lib/libc-2.14.1.so
> b74a9000-b74ab000 r--p 0015c000 08:13 3672511 /lib/libc-2.14.1.so
> b74ab000-b74ac000 rw-p 0015e000 08:13 3672511 /lib/libc-2.14.1.so
> b74ac000-b74b0000 rw-p 00000000 00:00 0
> b74b0000-b74d4000 r-xp 00000000 08:13 3671998 /lib/libm-2.14.1.so
> b74d4000-b74d5000 r--p 00023000 08:13 3671998 /lib/libm-2.14.1.so
> b74d5000-b74d6000 rw-p 00024000 08:13 3671998 /lib/libm-2.14.1.so
> b74d6000-b74eb000 r-xp 00000000 08:13 3672303 /lib/libpthread-2.14.1.so
> b74eb000-b74ec000 ---p 00015000 08:13 3672303 /lib/libpthread-2.14.1.so
> b74ec000-b74ed000 r--p 00015000 08:13 3672303 /lib/libpthread-2.14.1.so
> b74ed000-b74ee000 rw-p 00016000 08:13 3672303 /lib/libpthread-2.14.1.so
> b74ee000-b74f0000 rw-p 00000000 00:00 0
> b74f0000-b74f2000 r-xp 00000000 08:13 10113277 /usr/lib/libXss.so.1.0.0
> b74f2000-b74f3000 r--p 00001000 08:13 10113277 /usr/lib/libXss.so.1.0.0
> b74f3000-b74f4000 rw-p 00002000 08:13 10113277 /usr/lib/libXss.so.1.0.0
> b74f4000-b74f5000 rw-p 00000000 00:00 0
> b74f5000-b74f7000 r-xp 00000000 08:13 3672048 /lib/libdl-2.14.1.so
> b74f7000-b74f8000 r--p 00001000 08:13 3672048 /lib/libdl-2.14.1.so
> b74f8000-b74f9000 rw-p 00002000 08:13 3672048 /lib/libdl-2.14.1.so
> b74f9000-b764b000 r-xp 00000000 08:13 3539116 /usr/lib/libcrypto.so.1.0.0
> b764b000-b765a000 r--p 00151000 08:13 3539116 /usr/lib/libcrypto.so.1.0.0
> b765a000-b7660000 rw-p 00160000 08:13 3539116 /usr/lib/libcrypto.so.1.0.0
> b7660000-b7663000 rw-p 00000000 00:00 0
> b7663000-b76b1000 r-xp 00000000 08:13 3539120 /usr/lib/libssl.so.1.0.0
> b76b1000-b76b3000 r--p 0004d000 08:13 3539120 /usr/lib/libssl.so.1.0.0
> b76b3000-b76b6000 rw-p 0004f000 08:13 3539120 /usr/lib/libssl.so.1.0.0
> b76b6000-b770b000 r-xp 00000000 08:13 3435390 /usr/lib/libcurl.so.4.2.0
> b770b000-b770c000 r--p 00055000 08:13 3435390 /usr/lib/libcurl.so.4.2.0
> b770c000-b770d000 rw-p 00056000 08:13 3435390 /usr/lib/libcurl.so.4.2.0
> b7717000-b7718000 rw-p 00000000 00:00 0
> b7718000-b771c000 r-xp 00000000 08:13 3672316 /lib/libnss_dns-2.14.1.so
> b771c000-b771d000 r--p 00004000 08:13 3672316 /lib/libnss_dns-2.14.1.so
> b771d000-b771e000 rw-p 00005000 08:13 3672316 /lib/libnss_dns-2.14.1.so
> b771e000-b7720000 rw-s 00000000 00:04 1540120 /SYSV01130001 (deleted)
> b7720000-b7722000 rw-s 00000000 08:13 3408144 /var/lib/boinc/slots/2/boinc_mmap_file
> b7722000-b772c000 r-xp 00000000 08:13 3672326 /lib/libnss_files-2.14.1.so
> b772c000-b772d000 r--p 00009000 08:13 3672326 /lib/libnss_files-2.14.1.so
> b772d000-b772e000 rw-p 0000a000 08:13 3672326 /lib/libnss_files-2.14.1.so
> b772e000-b772f000 rw-p 00000000 00:00 0
> b772f000-b7730000 rw-p 00000000 00:00 0
> b7730000-b7731000 r-xp 00000000 00:00 0 [vdso]
> b7731000-b774e000 r-xp 00000000 08:13 3672510 /lib/ld-2.14.1.so
> b774e000-b774f000 r--p 0001c000 08:13 3672510 /lib/ld-2.14.1.so
> b774f000-b7750000 rw-p 0001d000 08:13 3672510 /lib/ld-2.14.1.so
> bfe7f000-bfec4000 rw-p 00000000 00:00 0 [stack]
> SIGABRT: abort called
> Stack trace (21 frames):
> /usr/bin/boinc_client(boinc_catch_signal+0x6f)[0x80d020f]
> [0xb7730400]
> [0xb7730424]
> /lib/libc.so.6(gsignal+0x52)[0xb737b0f2]
> /lib/libc.so.6(abort+0x17c)[0xb737c8bc]
> /lib/libc.so.6(+0x68b3b)[0xb73b5b3b]
> /lib/libc.so.6(__fortify_fail+0x50)[0xb7438d20]
> /lib/libc.so.6(+0xe9cab)[0xb7436cab]
> /lib/libc.so.6(+0xe9398)[0xb7436398]
> /lib/libc.so.6(_IO_default_xsputn+0x9d)[0xb73b998d]
> /lib/libc.so.6(_IO_vfprintf+0x19f2)[0xb738ed12]
> /lib/libc.so.6(__vsprintf_chk+0xa6)[0xb7436446]
> /lib/libc.so.6(__sprintf_chk+0x2d)[0xb743638d]
> /usr/bin/boinc_client[0x80a3b14]
> /usr/bin/boinc_client[0x80a4602]
> /usr/bin/boinc_client[0x80a0575]
> /usr/bin/boinc_client[0x805f163]
> /usr/bin/boinc_client[0x80ae08b]
> /usr/bin/boinc_client[0x80ae2eb]
> /lib/libc.so.6(__libc_start_main+0xe7)[0xb73673d7]
> /usr/bin/boinc_client[0x804cd11]
>
> Exiting...
>
>
> --
> MfG/Sincerely
> Toralf FÃrster
> pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
> _______________________________________________
> boinc_dev mailing list
> boinc_dev@xxxxxxxxxxxxxxxx
> http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev
> To unsubscribe, visit the above URL and
> (near bottom of page) enter your email address.
_______________________________________________
boinc_dev mailing list
boinc_dev@xxxxxxxxxxxxxxxx
http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev
To unsubscribe, visit the above URL and
(near bottom of page) enter your email address.

--- End Message ---