[Kernel-packages] [Bug 1669149] [NEW] improper lseek in stdio code called via exit(3)

Wed, 01 Mar 2017 14:12:12 -0800 

Public bug reported:

The attached file bug.c shows the bug.  Use the following input files:

------ input1 ------
THIS IS LINE 11
1234 56 7890 AB
------  end of input1 ------

------ input2 ------
THIS IS LINE 11
THIS IS LINE 22
THIS IS LINE 33
------ end of input2 ------

Has the same problem using gcc or clang:

Example runs:
---->~/bug
linux-12[398]$ clang bug.c

---->~/bug
linux-12[399]$ ./a.out < input1
THIS IS LINE 11
1234 56 7890 AB

---->~/bug
linux-12[400]$ clang -DWRONG bug.c

---->~/bug
linux-12[401]$ ./a.out < input1
THIS IS LINE 11
1234 56 7890 AB
1234 56 7890 AB

---->~/bug
linux-12[402]$

./a.out < input2 will produce an infinite loop.

This works on NetBSD:
---->~/bug
mirror[148]$ uname -a
NetBSD mirror.ldc.cs.wwu.edu 6.1.5 NetBSD 6.1.5 (GENERIC) i386

---->~/bug
mirror[149]$ gcc bug.c 

---->~/bug
mirror[150]$ ./a.out < input
THIS IS LINE 11
1234 56 7890 AB

---->~/bug
mirror[151]$ gcc -DWRONG bug.c

---->~/bug
mirror[152]$ ./a.out < input
THIS IS LINE 11
1234 56 7890 AB

---->~/bug
mirror[153]$ ./a.out < input2
THIS IS LINE 11
THIS IS LINE 22
THIS IS LINE 33

---->~/bug
mirror[154]$ 

-------- reason ------

The code stdio code called by exit(3) uses lseek to reset the file
pointer to the start of the unused portion of the buffer read from the
file.   This sounds like a good idea except that both the parent and the
child share the same file pointer.   So the parent uses the rest of the
buffer and then reads from the file at the location where the child
reset the pointer to when it exited.  Thus, the parent rereads part of
the file because of the child's lseek.  In extreme cases, as with input2
above, this can end up in an infinite loop.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-libc-dev 4.4.0-64.85
ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
Uname: Linux 4.4.0-59-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/by-path', 
'/dev/snd/hwC0D0', '/dev/snd/pcmC0D0c', '/dev/snd/pcmC0D0p', 
'/dev/snd/controlC0', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 
1: Cannot stat file /proc/24974/fd/7: Stale file handle
Date: Wed Mar  1 12:37:11 2017
Dependencies:
 
HibernationDevice: RESUME=UUID=8e132b37-1993-427b-b84d-347a5defa90c
InstallationDate: Installed on 2016-08-30 (182 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] 
failed with exit code 1: Hint: You are currently not seeing messages from other 
users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
Lsusb:
 Bus 002 Device 003: ID 10d5:5a08 Uni Class Technology Co., Ltd 
 Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
 Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
 Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
MachineType: Dell Inc. OptiPlex 990
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US
 SHELL=/bin/bash
ProcFB: 0 nouveaufb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-59-generic 
root=UUID=eac16075-6089-4fe7-be26-3d8ed7bf6ab8 ro quiet splash vt.handoff=7
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No 
PulseAudio daemon running, or not running as session daemon.
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-59-generic N/A
 linux-backports-modules-4.4.0-59-generic  N/A
 linux-firmware                            1.157.8
RfKill:
 
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
WifiSyslog:
 
dmi.bios.date: 02/26/2011
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A02
dmi.board.name: 06D7TR
dmi.board.vendor: Dell Inc.
dmi.board.version: A00
dmi.chassis.type: 6
dmi.chassis.vendor: Dell Inc.
dmi.modalias: 
dmi:bvnDellInc.:bvrA02:bd02/26/2011:svnDellInc.:pnOptiPlex990:pvr01:rvnDellInc.:rn06D7TR:rvrA00:cvnDellInc.:ct6:cvr:
dmi.product.name: OptiPlex 990
dmi.product.version: 01
dmi.sys.vendor: Dell Inc.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: amd64 apport-bug xenial

** Attachment added: "bug.c -- a program showing the bug"
   https://bugs.launchpad.net/bugs/1669149/+attachment/4829322/+files/bug.c

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1669149

Title:
  improper lseek in stdio code called via exit(3)

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  The attached file bug.c shows the bug.  Use the following input files:

  ------ input1 ------
  THIS IS LINE 11
  1234 56 7890 AB
  ------  end of input1 ------

  ------ input2 ------
  THIS IS LINE 11
  THIS IS LINE 22
  THIS IS LINE 33
  ------ end of input2 ------

  Has the same problem using gcc or clang:

  Example runs:
  ---->~/bug
  linux-12[398]$ clang bug.c

  ---->~/bug
  linux-12[399]$ ./a.out < input1
  THIS IS LINE 11
  1234 56 7890 AB

  ---->~/bug
  linux-12[400]$ clang -DWRONG bug.c

  ---->~/bug
  linux-12[401]$ ./a.out < input1
  THIS IS LINE 11
  1234 56 7890 AB
  1234 56 7890 AB

  ---->~/bug
  linux-12[402]$

  ./a.out < input2 will produce an infinite loop.

  This works on NetBSD:
  ---->~/bug
  mirror[148]$ uname -a
  NetBSD mirror.ldc.cs.wwu.edu 6.1.5 NetBSD 6.1.5 (GENERIC) i386

  ---->~/bug
  mirror[149]$ gcc bug.c 

  ---->~/bug
  mirror[150]$ ./a.out < input
  THIS IS LINE 11
  1234 56 7890 AB

  ---->~/bug
  mirror[151]$ gcc -DWRONG bug.c

  ---->~/bug
  mirror[152]$ ./a.out < input
  THIS IS LINE 11
  1234 56 7890 AB

  ---->~/bug
  mirror[153]$ ./a.out < input2
  THIS IS LINE 11
  THIS IS LINE 22
  THIS IS LINE 33

  ---->~/bug
  mirror[154]$ 

  -------- reason ------

  The code stdio code called by exit(3) uses lseek to reset the file
  pointer to the start of the unused portion of the buffer read from the
  file.   This sounds like a good idea except that both the parent and
  the child share the same file pointer.   So the parent uses the rest
  of the buffer and then reads from the file at the location where the
  child reset the pointer to when it exited.  Thus, the parent rereads
  part of the file because of the child's lseek.  In extreme cases, as
  with input2 above, this can end up in an infinite loop.

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: linux-libc-dev 4.4.0-64.85
  ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
  Uname: Linux 4.4.0-59-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/by-path', 
'/dev/snd/hwC0D0', '/dev/snd/pcmC0D0c', '/dev/snd/pcmC0D0p', 
'/dev/snd/controlC0', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 
1: Cannot stat file /proc/24974/fd/7: Stale file handle
  Date: Wed Mar  1 12:37:11 2017
  Dependencies:
   
  HibernationDevice: RESUME=UUID=8e132b37-1993-427b-b84d-347a5defa90c
  InstallationDate: Installed on 2016-08-30 (182 days ago)
  InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 
(20160719)
  JournalErrors:
   Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] 
failed with exit code 1: Hint: You are currently not seeing messages from other 
users and the system.
         Users in the 'systemd-journal' group can see all messages. Pass -q to
         turn off this notice.
   No journal files were opened due to insufficient permissions.
  Lsusb:
   Bus 002 Device 003: ID 10d5:5a08 Uni Class Technology Co., Ltd 
   Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
   Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
   Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
  MachineType: Dell Inc. OptiPlex 990
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US
   SHELL=/bin/bash
  ProcFB: 0 nouveaufb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-59-generic 
root=UUID=eac16075-6089-4fe7-be26-3d8ed7bf6ab8 ro quiet splash vt.handoff=7
  PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No 
PulseAudio daemon running, or not running as session daemon.
  RelatedPackageVersions:
   linux-restricted-modules-4.4.0-59-generic N/A
   linux-backports-modules-4.4.0-59-generic  N/A
   linux-firmware                            1.157.8
  RfKill:
   
  SourcePackage: linux
  UpgradeStatus: No upgrade log present (probably fresh install)
  WifiSyslog:
   
  dmi.bios.date: 02/26/2011
  dmi.bios.vendor: Dell Inc.
  dmi.bios.version: A02
  dmi.board.name: 06D7TR
  dmi.board.vendor: Dell Inc.
  dmi.board.version: A00
  dmi.chassis.type: 6
  dmi.chassis.vendor: Dell Inc.
  dmi.modalias: 
dmi:bvnDellInc.:bvrA02:bd02/26/2011:svnDellInc.:pnOptiPlex990:pvr01:rvnDellInc.:rn06D7TR:rvrA00:cvnDellInc.:ct6:cvr:
  dmi.product.name: OptiPlex 990
  dmi.product.version: 01
  dmi.sys.vendor: Dell Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1669149/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to