[Bug 946758] Re: Format string overflow in Monitor.c:check_array

Robie Basak 946758 at bugs.launchpad.net
Wed Jul 4 09:14:03 UTC 2012 

Debdiff attached, which backports the upstream fix. Note that the return
value of snprintf isn't being checked, which ideally it should be to
code this defensively. But that's what upstream have done, and with
32-bit integers an 80-byte buffer will always be big enough in this
case, so I think it is acceptable for Precise.

I have test built this, but have not done any further testing as I don't
have suitable hardware available. This is one of those cases where the
fix is trivial yet testing is very awkward.

** Patch added: "mdadm.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/946758/+attachment/3212980/+files/mdadm.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mdadm in Ubuntu.
https://bugs.launchpad.net/bugs/946758

Title:
  Format string overflow in Monitor.c:check_array

Status in “mdadm” package in Ubuntu:
  Fix Released
Status in “mdadm” source package in Precise:
  Triaged

Bug description:
  SRU Justification

  [Impact]

  If mdadm --monitor is being used to monitor RAID (very common), then
  if a RAID reconstruction completes but with mismatches detected by the
  kernel, and the number of mismatches is more than 99, then mdadm
  crashes due to a buffer overflow. This will cause the loss of RAID
  monitoring, possibly without the administrator noticing. This could
  cause loss of data if a future RAID failure is not detected because
  monitoring has failed.

  [Test Case]

  0. Check that mdadm --monitor is running (it should be already on a md-based RAID system by default).
  1. Arrange for RAID reconstruction to complete but with a large number of mismatches (difficult!).
  2. Check if mdadm is still running. It should be, but this bug causes it to crash.

  [Regression Potential]

  The fix is taken from upstream and is trivial. The code change is
  solely in the monitoring code that runs when reconstruction is
  complete. If there is a regression, it is most likely to be in another
  similar C memory mismanagement bug that was already present in the
  monitoring code.

  Original message:

  possibly dupe of ​ #946344
  on the off chance it's a new, created accordingly.

  ProblemType: Crash
  DistroRelease: Ubuntu 12.04
  Package: mdadm 3.2.3-2ubuntu1
  ProcVersionSignature: Ubuntu 3.2.0-17.27-generic-pae 3.2.6
  Uname: Linux 3.2.0-17-generic-pae i686
  NonfreeKernelModules: nvidia
  ApportVersion: 1.94-0ubuntu1
  Architecture: i386
  Date: Sun Mar  4 01:58:16 2012
  ExecutablePath: /sbin/mdadm
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha i386 (20120201.2)
  MDadmExamine.dev.sda:
   /dev/sda:
      MBR Magic : aa55
   Partition[0] :     54687744 sectors at         2048 (type fd)
   Partition[1] :    433587772 sectors at     54691838 (type 05)
  MDadmExamine.dev.sda2:
   /dev/sda2:
      MBR Magic : aa55
   Partition[0] :    431634357 sectors at      1953415 (type fd)
   Partition[1] :      1951745 sectors at            1 (type 05)
  MDadmExamine.dev.sdb:
   /dev/sdb:
      MBR Magic : aa55
   Partition[0] :     54687744 sectors at         2048 (type fd)
   Partition[1] :    433587772 sectors at     54691838 (type 05)
  MDadmExamine.dev.sdb2:
   /dev/sdb2:
      MBR Magic : aa55
   Partition[0] :    431634357 sectors at      1953415 (type fd)
   Partition[1] :      1951745 sectors at            1 (type 05)
  MDadmExamine.dev.sdc: Error: command ['/sbin/mdadm', '-E', '/dev/sdc'] failed with exit code 1: mdadm: cannot open /dev/sdc: No medium found
  MDadmExamine.dev.sdd: Error: command ['/sbin/mdadm', '-E', '/dev/sdd'] failed with exit code 1: mdadm: cannot open /dev/sdd: No medium found
  MDadmExamine.dev.sde: Error: command ['/sbin/mdadm', '-E', '/dev/sde'] failed with exit code 1: mdadm: cannot open /dev/sde: No medium found
  MDadmExamine.dev.sdf: Error: command ['/sbin/mdadm', '-E', '/dev/sdf'] failed with exit code 1: mdadm: cannot open /dev/sdf: No medium found
  MachineType: Dell Inc. Inspiron 530
  ProcCmdline: /sbin/mdadm --monitor --pid-file /var/run/mdadm/monitor.pid --daemonise --scan --syslog
  ProcEnviron:
   TERM=linux
   PATH=(custom, no user)
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.2.0-17-generic-pae root=UUID=4de18d92-4134-4795-943f-3cf94658f0d1 ro quiet splash vt.handoff=7
  Signal: 6
  SourcePackage: mdadm
  StacktraceTop:
   raise () from /lib/i386-linux-gnu/libc.so.6
   abort () from /lib/i386-linux-gnu/libc.so.6
   ?? () from /lib/i386-linux-gnu/libc.so.6
   __fortify_fail () from /lib/i386-linux-gnu/libc.so.6
   __chk_fail () from /lib/i386-linux-gnu/libc.so.6
  Title: mdadm crashed with SIGABRT in raise()
  UpgradeStatus: Upgraded to precise on 2012-02-09 (24 days ago)
  UserGroups:

  dmi.bios.date: 03/20/2008
  dmi.bios.vendor: Dell Inc.
  dmi.bios.version: 1.0.13
  dmi.board.name: 0FM586
  dmi.board.vendor: Dell Inc.
  dmi.board.version: ���
  dmi.chassis.type: 3
  dmi.chassis.vendor: Dell Inc.
  dmi.chassis.version: OEM
  dmi.modalias: dmi:bvnDellInc.:bvr1.0.13:bd03/20/2008:svnDellInc.:pnInspiron530:pvr:rvnDellInc.:rn0FM586:rvr:cvnDellInc.:ct3:cvrOEM:
  dmi.product.name: Inspiron 530
  dmi.sys.vendor: Dell Inc.
  etc.blkid.tab: Error: [Errno 2] No such file or directory: '/etc/blkid.tab'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/946758/+subscriptions

More information about the foundations-bugs mailing list