Bug#876388: marked as done (discover: segfaults)

Sat, 10 Mar 2018 15:21:33 -0800 

Your message dated Sat, 10 Mar 2018 23:17:09 +0000
with message-id <[email protected]>
and subject line Bug#876388: fixed in discover 2.1.2-7.1+deb9u1
has caused the Debian Bug report #876388,
regarding discover: segfaults
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
876388: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876388
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: discover
Version: 2.1.2-7.1
Tags: patch



Running `discover` produces a crash:

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
120 ../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
(gdb) bt
#0 __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
#1 0x00007ffff787abfe in __GI___strdup (s=0x555500000000 <error:
Cannot access memory at address 0x555500000000>) at strdup.c:41
#2 0x00007ffff7bcf829 in discover_get_devices () from /usr/lib/libdiscover.so.2
#3 0x0000555555555a73 in ?? ()
#4 0x000055555555678e in ?? ()
#5 0x00007ffff78081c1 in __libc_start_main (main=0x555555555ea3,
argc=1, argv=0x7fffffffe358, init=<optimized out>, fini=<optimized
out>, rtld_fini=<optimized out>,
    stack_end=0x7fffffffe348) at ../csu/libc-start.c:308
#6 0x000055555555559a in ?? ()

Here is the fix of the problem:

Use the right type for `len`, avoid segmentation fault

`getline()` requires its second parameter to be `size_t *`. On the amd64
platform the size of `unsigned int` is 4 and the size of `size_t` is 8
bytes. Using a wrong pointer type can lead to a stack variables
corruption (overwriting with zeros) and a segmentation fault later.

See also similar `len` declarations in `_discover_get_pci_raw_sys()` in
the docs and `_discover_get_ata_raw()` / `discover_get_pci_raw_proc()` /
`discover_get_usb_raw()` in the source code.


-- 
Mit freundlichen Grüßen,
Anatolii Borodin

From 4b7f09a2862fdf8a7811083d88057048f237ef7a Mon Sep 17 00:00:00 2001
From: Anatoly Borodin <[email protected]>
Date: Thu, 21 Sep 2017 14:50:52 +0000
Subject: [PATCH] Use the right type for `len`, avoid segmentation fault

`getline()` requires its second parameter to be `size_t *`. On the amd64
platform the size of `unsigned int` is 4 and the size of `size_t` is 8
bytes. Using a wrong pointer type can lead to a stack variables
corruption (overwriting with zeros) and a segmentation fault later.

See also similar `len` declarations in `_discover_get_pci_raw_sys()` in
the docs and `_discover_get_ata_raw()` / `discover_get_pci_raw_proc()` /
`discover_get_usb_raw()` in the source code.
---
 sysdeps/linux/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git sysdeps/linux/pci.c sysdeps/linux/pci.c
index 1101f523de1b..42a20d323728 100644
--- sysdeps/linux/pci.c
+++ sysdeps/linux/pci.c
@@ -160,7 +160,7 @@ _discover_get_pci_raw_sys(void)
     FILE *f;
     DIR *pciDir;
     struct dirent *pci_device_entry;
-    unsigned int len;
+    size_t len = 0;
     char *device_dir, *line, *class, *vendor, *model, *p;
     char **device_dir_list = NULL;
     size_t device_dir_list_len, device_dir_index, device_dir_index2;
-- 
2.14.1

--- End Message ---
--- Begin Message --- 
Source: discover
Source-Version: 2.1.2-7.1+deb9u1

We believe that the bug you reported is fixed in the latest version of
discover, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated discover package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 26 Feb 2018 21:38:40 +0200
Source: discover
Binary: discover libdiscover2 libdiscover-dev
Architecture: source
Version: 2.1.2-7.1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Install System Team <[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Description:
 discover   - hardware identification system
 libdiscover-dev - hardware identification library development files
 libdiscover2 - hardware identification library
Closes: 876388
Changes:
 discover (2.1.2-7.1+deb9u1) stretch; urgency=medium
 .
   * Non-maintainer upload.
   * Use correct type for the length parameter of the getline() call,
     thanks to Anatoly Borodin and Simon Quigley for writing and for
     forwarding the patch (Closes: #876388, LP: #1718687).
Checksums-Sha1:
 bde86ae0c88c968f7b7d100000b3c90bbce8d63a 2038 discover_2.1.2-7.1+deb9u1.dsc
 1358a88e798b9566415be8b9b37e213ad9c89c9a 188594 
discover_2.1.2-7.1+deb9u1.diff.gz
Checksums-Sha256:
 792665fc3975c836e6d05ae2203bbec9cdf851a83afd8a0aa9f9fdcc057fc66b 2038 
discover_2.1.2-7.1+deb9u1.dsc
 35c8122525ca046b0b3a1e7bfb2fdc2a6d243994191fbc910b9d57457c411b91 188594 
discover_2.1.2-7.1+deb9u1.diff.gz
Files:
 9e4c6e1aa0bb32c12b4f3c67c3871280 2038 admin optional 
discover_2.1.2-7.1+deb9u1.dsc
 a087662e36d9dd6d645effbc944f5f89 188594 admin optional 
discover_2.1.2-7.1+deb9u1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAlqUY8oACgkQiNJCh6LY
mLG85w//XMm7KVGmqfjqZefzXZbWFczQ9P0D/JdvkOFg44Qck33v1uvOQ5tXmIcG
MMGwf/UCHweNq0aaIqpBuQFJjyiydH0OItblvfLR/UL399bykmFIG+EIR7lvVmbO
DS2B2/pgIhpbhcvp8xjmr77KvAhIDQCMHasqkCbmUmeetquAD6ju/Hs/V0PdhToz
KW961s4y65BH0I5qs27DSM8zg72TlmX2Mk+WbOayytdvc7znMhMZwSPCG0krMgTd
BGZdTcY72xquXEGtBR3QQFmRJA8XTUxvhB8sniSsa5d3vMmS04PVxDSXe8IFj3aT
kotBXTmrtXA9TEu0E+av4OG0eEkEsrz7aL7cxRtc3o7q2u4uTVs5PY+/3aoNAFKV
IhvddJ2Nh6D2OO2Adx55bZ6Q8tV6QZT+ZnCF3pcUS0eJ7bGmElaPANm4FtrQmrto
O+7uHnmeAEP33p4YsP4/7gPE+RaEPKNhPCyMMSKPTwBRMG6WcpaWcdIPuSxtdUml
cxrkq6HI1U0rw6KqduGLzOLgHnCu0L7n/hYZnELkATJ3MoRZR8GijJsUcp0OIvTQ
GumBJ3vqaR4ubYcxbMI49dtT8YKuKgQDr+vNtoPMOUSEjCqo9ugLWHyU5HHLCZU+
R3Q3nDeu0n7t/fjflvY84rGvxHy42yUqaKtqsy+Dv8w79WcgXbA=
=K7pY
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to