[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-bugs] [Bug 1077] New: *** buffer overflow detected ***: qcow-create terminated

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1077

           Summary: *** buffer overflow detected ***: qcow-create terminated
           Product: Xen
           Version: unstable
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Tools
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: fleitner@xxxxxxxxxx


qcow-create fails printing '*** buffer overflow detected ***' with a backtrace.

Steps to Reproduce:

dd if=/dev/zero of=backing.store.img bs=1M count=10
yes|mke2fs -y -j backing.store.img
qcow-create 10 qcow.img backing.store.img 
Optind 1, argc 4
Creating file size 10485760, name qcow.img
*** buffer overflow detected ***: qcow-create terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x30d131]
/lib/libc.so.6[0x30d878]
qcow-create[0x804e650]
qcow-create[0x804fb2f]
/lib/libc.so.6(__libc_start_main+0xdc)[0x240dec]
qcow-create[0x8048de1]
======= Memory map: ========

The code in question does:
block-qcow.c
...
1215 int qcow_create(const char *filename, uint64_t total_size,
1216                 const char *backing_file, int sparse)
1217 {
1218         int fd, header_size, backing_filename_len, l1_size, i;
1219         int shift, length, adjust, flags = 0, ret = 0;
1220         QCowHeader header;
1221         QCowHeader_ext exthdr;
1222         char backing_filename[1024], *ptr;
1223         uint64_t tmp, size, total_length;
1224         struct stat st;
1225
1226         DPRINTF("Qcow_create: size %llu\n",(long long
unsigned)total_size);
...
1254                         } else {
1255                                 realpath(backing_file, backing_filename);
1256                                 if (stat(backing_filename, &st) != 0) {
1257                                         return -1;
1258                                 }
...

On line 1255 glibc can check for backing_filename size which is 1024, see:
25 char *
 26 __realpath_chk (const char *buf, char *resolved, size_t resolvedlen)
 27 {
 28 #ifdef PATH_MAX
 29   if (resolvedlen < PATH_MAX)
 30     __chk_fail ();
 31
 32   return __realpath (buf, resolved);
 33 #else
 34   long int pathmax =__pathconf (buf, _PC_PATH_MAX);
 35   if (pathmax != -1)
...
If the buffer size is less than PATH_MAX it will print the 'buffer overflow'
message and exit with backtrace.

The fix is just change block-qcow.c:1222
-       char backing_filename[1024], *ptr;
+       char backing_filename[PATH_MAX], *ptr;

which is correct according with realpath(3).


-- 
Configure bugmail: 
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.