Public bug reported: A crash occurs with some blktrace output files, but not all. I've attached a blktrace file taken directly from the output of `blktrace -d $DEV -o - > $TMPFILE`.
When reading from piped input, blkparse does not track online CPUs, and pdi->cpu_map_max will be 0. The check_cpu_map function is invoked when a sequence number changes in an unexpected way (i.e. is not prev + 1). When pdi->cpu_map_max is 0, the check_cpu_map function will perform a malloc of size 0 and then attempt to use memset to initialize it. The size used for memset does not match the size used for the malloc, and hence an out-of-bounds write occurs. Patches are available in the upstream blktrace repo that together resolve this issue: - https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=ac416ab67cd7add0089c3bc668427e6b909eb59e - https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=7f5d2c5173d72018aa29c583c9291ef10abaf8df In Noble, this results in a SIGABRT with "*** buffer overflow detected***". In earlier series, the out-of-bounds access occurs silently. Noble Valgrind output: $ cat blktrace-kernel-trace-10521.tmp | valgrind blkparse -i - > blktrace-kernel-trace-10521.tmp.parsed ... ==11486== *** buffer overflow detected ***: terminated ==11486== ==11486== Process terminating with default action of signal 6 (SIGABRT) ==11486== at 0x4947628: __pthread_kill_implementation (pthread_kill.c:44) ==11486== by 0x48FCB3B: raise (raise.c:26) ==11486== by 0x48E7DFF: abort (abort.c:79) ==11486== by 0x493ABEF: __libc_message_impl (libc_fatal.c:132) ==11486== by 0x49B81A7: __fortify_fail (fortify_fail.c:24) ==11486== by 0x49B79E3: __chk_fail (chk_fail.c:28) ==11486== by 0x49B8A77: __memset_chk (memset_chk.c:25) ==11486== by 0x10FDEF: UnknownInlinedFun (string_fortified.h:59) ==11486== by 0x10FDEF: UnknownInlinedFun (blkparse.c:2026) ==11486== by 0x10FDEF: UnknownInlinedFun (blkparse.c:2071) ==11486== by 0x10FDEF: show_entries_rb (blkparse.c:2131) ==11486== by 0x10AA1B: UnknownInlinedFun (blkparse.c:2634) ==11486== by 0x10AA1B: UnknownInlinedFun (blkparse.c:2655) ==11486== by 0x10AA1B: main (blkparse.c:2939) ... Jammy Valgrind output: $ cat blktrace-kernel-trace-10521.tmp | valgrind blkparse -i - > blktrace-kernel-trace-10521.tmp.parsed ... ==11513== Invalid write of size 8 ==11513== at 0x10E8F4: memset (string_fortified.h:71) ==11513== by 0x10E8F4: check_cpu_map (blkparse.c:2026) ==11513== by 0x10E8F4: check_sequence (blkparse.c:2071) ==11513== by 0x10E8F4: show_entries_rb (blkparse.c:2131) ==11513== by 0x10A627: do_pipe (blkparse.c:2634) ==11513== by 0x10A627: do_fifo (blkparse.c:2655) ==11513== by 0x10A627: main (blkparse.c:2939) ==11513== Address 0x4b6dcd0 is 0 bytes after a block of size 0 alloc'd ==11513== at 0x4885250: malloc (vg_replace_malloc.c:442) ==11513== by 0x10E8EB: check_cpu_map (blkparse.c:2025) ==11513== by 0x10E8EB: check_sequence (blkparse.c:2071) ==11513== by 0x10E8EB: show_entries_rb (blkparse.c:2131) ==11513== by 0x10A627: do_pipe (blkparse.c:2634) ==11513== by 0x10A627: do_fifo (blkparse.c:2655) ==11513== by 0x10A627: main (blkparse.c:2939) ** Affects: blktrace (Ubuntu) Importance: Undecided Assignee: Jacob Martin (jacobmartin) Status: In Progress ** Affects: blktrace (Ubuntu Focal) Importance: Undecided Status: New ** Affects: blktrace (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: blktrace (Ubuntu Noble) Importance: Undecided Status: New ** Affects: blktrace (Ubuntu Oracular) Importance: Undecided Assignee: Jacob Martin (jacobmartin) Status: In Progress ** Attachment added: "blktrace-kernel-trace-10521.tmp.gz" https://bugs.launchpad.net/bugs/2073170/+attachment/5797394/+files/blktrace-kernel-trace-10521.tmp.gz ** Also affects: blktrace (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: blktrace (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: blktrace (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: blktrace (Ubuntu Oracular) Importance: Undecided Status: New ** Changed in: blktrace (Ubuntu Oracular) Status: New => In Progress ** Changed in: blktrace (Ubuntu Oracular) Assignee: (unassigned) => Jacob Martin (jacobmartin) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073170 Title: blkparse: out-of-bounds access in function check_cpu_map while reading trace from stdin To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/blktrace/+bug/2073170/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
