WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-bugs

[Xen-bugs] [Bug 1077] New: *** buffer overflow detected ***: qcow-create

To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 1077] New: *** buffer overflow detected ***: qcow-create terminated
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Thu, 4 Oct 2007 13:15:31 -0700
Delivery-date: Thu, 04 Oct 2007 13:16:04 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=1077

           Summary: *** buffer overflow detected ***: qcow-create terminated
           Product: Xen
           Version: unstable
          Platform: x86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Tools
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: fleitner@xxxxxxxxxx


qcow-create fails printing '*** buffer overflow detected ***' with a backtrace.

Steps to Reproduce:

dd if=/dev/zero of=backing.store.img bs=1M count=10
yes|mke2fs -y -j backing.store.img
qcow-create 10 qcow.img backing.store.img 
Optind 1, argc 4
Creating file size 10485760, name qcow.img
*** buffer overflow detected ***: qcow-create terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x30d131]
/lib/libc.so.6[0x30d878]
qcow-create[0x804e650]
qcow-create[0x804fb2f]
/lib/libc.so.6(__libc_start_main+0xdc)[0x240dec]
qcow-create[0x8048de1]
======= Memory map: ========

The code in question does:
block-qcow.c
...
1215 int qcow_create(const char *filename, uint64_t total_size,
1216                 const char *backing_file, int sparse)
1217 {
1218         int fd, header_size, backing_filename_len, l1_size, i;
1219         int shift, length, adjust, flags = 0, ret = 0;
1220         QCowHeader header;
1221         QCowHeader_ext exthdr;
1222         char backing_filename[1024], *ptr;
1223         uint64_t tmp, size, total_length;
1224         struct stat st;
1225
1226         DPRINTF("Qcow_create: size %llu\n",(long long
unsigned)total_size);
...
1254                         } else {
1255                                 realpath(backing_file, backing_filename);
1256                                 if (stat(backing_filename, &st) != 0) {
1257                                         return -1;
1258                                 }
...

On line 1255 glibc can check for backing_filename size which is 1024, see:
25 char *
 26 __realpath_chk (const char *buf, char *resolved, size_t resolvedlen)
 27 {
 28 #ifdef PATH_MAX
 29   if (resolvedlen < PATH_MAX)
 30     __chk_fail ();
 31
 32   return __realpath (buf, resolved);
 33 #else
 34   long int pathmax =__pathconf (buf, _PC_PATH_MAX);
 35   if (pathmax != -1)
...
If the buffer size is less than PATH_MAX it will print the 'buffer overflow'
message and exit with backtrace.

The fix is just change block-qcow.c:1222
-       char backing_filename[1024], *ptr;
+       char backing_filename[PATH_MAX], *ptr;

which is correct according with realpath(3).


-- 
Configure bugmail: 
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs