[Bug 946758] Re: Format string overflow in Monitor.c:check_array
Robie Basak
946758 at bugs.launchpad.net
Thu Jul 5 08:49:23 UTC 2012
I understand that it's not perfect, but this is the fix that is upstream
and in Quantal. If we wanted to fix the problem differently from
upstream, we'd need to also do it in Quantal and carry a delta as a
minimum, and ideally forward the patch to upstream as well.
The format string is 39 bytes long, less two '%d's so 35 (excluding the
null terminator). It does not appear to be i8n-ised. How did you get 41?
"%d" expects a plain int, which is still 32 bits on amd64 on Precise.
And mismatch_cnt is a plain int, so 32 bits too. Or is there an option
somewhere that is making ints bigger? And the second %d is just the raid
level, which I don't expect to be bigger than two decimal digits anyway.
Even if the %d did expand a 64-bit number, then it'd expand to at most
20 bytes (including the sign). Assuming that the raid level is at most
two bytes, the string would be a maximum of 58 bytes including the null
terminator, which is less than the 80 now allocated.
Even if both %ds expanded full 64-bit integers (just in case the user
happens to be using a RAID level of -9223372036854775808), that'd be
35+40+1=76 which is still under 80.
I'm just following the path of least resistance by doing what upstream
has done. We can go beyond that if necessary, by patching Quantal and
ideally upstream as well. I don't it is necessary here, but I'd
appreciate input from a sponsor on this. If you care, then a new
upstream bug and patch would be appropriate.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mdadm in Ubuntu.
https://bugs.launchpad.net/bugs/946758
Title:
Format string overflow in Monitor.c:check_array
Status in “mdadm” package in Ubuntu:
Fix Released
Status in “mdadm” source package in Precise:
Triaged
Bug description:
SRU Justification
[Impact]
If mdadm --monitor is being used to monitor RAID (very common), then
if a RAID reconstruction completes but with mismatches detected by the
kernel, and the number of mismatches is more than 99, then mdadm
crashes due to a buffer overflow. This will cause the loss of RAID
monitoring, possibly without the administrator noticing. This could
cause loss of data if a future RAID failure is not detected because
monitoring has failed.
[Test Case]
0. Check that mdadm --monitor is running (it should be already on a md-based RAID system by default).
1. Arrange for RAID reconstruction to complete but with a large number of mismatches (difficult!).
2. Check if mdadm is still running. It should be, but this bug causes it to crash.
[Regression Potential]
The fix is taken from upstream and is trivial. The code change is
solely in the monitoring code that runs when reconstruction is
complete. If there is a regression, it is most likely to be in another
similar C memory mismanagement bug that was already present in the
monitoring code.
Original message:
possibly dupe of #946344
on the off chance it's a new, created accordingly.
ProblemType: Crash
DistroRelease: Ubuntu 12.04
Package: mdadm 3.2.3-2ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-17.27-generic-pae 3.2.6
Uname: Linux 3.2.0-17-generic-pae i686
NonfreeKernelModules: nvidia
ApportVersion: 1.94-0ubuntu1
Architecture: i386
Date: Sun Mar 4 01:58:16 2012
ExecutablePath: /sbin/mdadm
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha i386 (20120201.2)
MDadmExamine.dev.sda:
/dev/sda:
MBR Magic : aa55
Partition[0] : 54687744 sectors at 2048 (type fd)
Partition[1] : 433587772 sectors at 54691838 (type 05)
MDadmExamine.dev.sda2:
/dev/sda2:
MBR Magic : aa55
Partition[0] : 431634357 sectors at 1953415 (type fd)
Partition[1] : 1951745 sectors at 1 (type 05)
MDadmExamine.dev.sdb:
/dev/sdb:
MBR Magic : aa55
Partition[0] : 54687744 sectors at 2048 (type fd)
Partition[1] : 433587772 sectors at 54691838 (type 05)
MDadmExamine.dev.sdb2:
/dev/sdb2:
MBR Magic : aa55
Partition[0] : 431634357 sectors at 1953415 (type fd)
Partition[1] : 1951745 sectors at 1 (type 05)
MDadmExamine.dev.sdc: Error: command ['/sbin/mdadm', '-E', '/dev/sdc'] failed with exit code 1: mdadm: cannot open /dev/sdc: No medium found
MDadmExamine.dev.sdd: Error: command ['/sbin/mdadm', '-E', '/dev/sdd'] failed with exit code 1: mdadm: cannot open /dev/sdd: No medium found
MDadmExamine.dev.sde: Error: command ['/sbin/mdadm', '-E', '/dev/sde'] failed with exit code 1: mdadm: cannot open /dev/sde: No medium found
MDadmExamine.dev.sdf: Error: command ['/sbin/mdadm', '-E', '/dev/sdf'] failed with exit code 1: mdadm: cannot open /dev/sdf: No medium found
MachineType: Dell Inc. Inspiron 530
ProcCmdline: /sbin/mdadm --monitor --pid-file /var/run/mdadm/monitor.pid --daemonise --scan --syslog
ProcEnviron:
TERM=linux
PATH=(custom, no user)
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.2.0-17-generic-pae root=UUID=4de18d92-4134-4795-943f-3cf94658f0d1 ro quiet splash vt.handoff=7
Signal: 6
SourcePackage: mdadm
StacktraceTop:
raise () from /lib/i386-linux-gnu/libc.so.6
abort () from /lib/i386-linux-gnu/libc.so.6
?? () from /lib/i386-linux-gnu/libc.so.6
__fortify_fail () from /lib/i386-linux-gnu/libc.so.6
__chk_fail () from /lib/i386-linux-gnu/libc.so.6
Title: mdadm crashed with SIGABRT in raise()
UpgradeStatus: Upgraded to precise on 2012-02-09 (24 days ago)
UserGroups:
dmi.bios.date: 03/20/2008
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.0.13
dmi.board.name: 0FM586
dmi.board.vendor: Dell Inc.
dmi.board.version: ���
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc.
dmi.chassis.version: OEM
dmi.modalias: dmi:bvnDellInc.:bvr1.0.13:bd03/20/2008:svnDellInc.:pnInspiron530:pvr:rvnDellInc.:rn0FM586:rvr:cvnDellInc.:ct3:cvrOEM:
dmi.product.name: Inspiron 530
dmi.sys.vendor: Dell Inc.
etc.blkid.tab: Error: [Errno 2] No such file or directory: '/etc/blkid.tab'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mdadm/+bug/946758/+subscriptions
More information about the foundations-bugs
mailing list