Summary: | Buffer overflow in alsactl from media-sound/alsa-utils-1.0.27 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | John <thejohndoe> |
Component: | Current packages | Assignee: | Gentoo ALSA team <alsa-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | I.zaufi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
URL: | http://git.alsa-project.org/?p=alsa-utils.git;a=commit;h=95788fea25c1a59985828d4b91af0772d077600b | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Strace log of alsactl getting killed
Fix for buffer overflow crash by using snprintf() |
Description
John
2013-05-01 15:42:43 UTC
(gdb) bt #0 0x00007ffff726cfe5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff726e45b in __GI_abort () at abort.c:90 #2 0x00007ffff72aecee in __libc_message (do_abort=2, fmt=0x7ffff73a2a1d "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:196 #3 0x00007ffff733a197 in __GI___fortify_fail (msg=0x7ffff73a29b4 "buffer overflow detected") at fortify_fail.c:31 #4 0x00007ffff7337fa0 in __GI___chk_fail () at chk_fail.c:28 #5 0x00007ffff7337349 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:33 #6 0x00007ffff72b2194 in __GI__IO_default_xsputn (f=0x7fffffffda90, data=<optimized out>, n=1) at genops.c:481 #7 0x00007ffff727f779 in _IO_vfprintf_internal (s=<optimized out>, format=<optimized out>, ap=<optimized out>) at vfprintf.c:1660 #8 0x00007ffff73373e7 in ___vsprintf_chk (s=0x7fffffffdd50 " 6207\377\377\377\177", flags=1, slen=11, format=0x412982 "%10li\n", args=0x7fffffffdbb8) at vsprintf_chk.c:85 #9 0x00007ffff733732d in ___sprintf_chk (s=<optimized out>, flags=<optimized out>, slen=<optimized out>, format=<optimized out>) at sprintf_chk.c:32 #10 0x000000000040a8f9 in sprintf (__fmt=0x412982 "%10li\n", __s=0x7fffffffdd50 " 6207\377\377\377\177") at /usr/include/bits/stdio2.h:33 #11 state_lock_ (timeout=10, lock=1, file=0x4116ba "/var/lib/alsa/asound.state") at lock.c:56 #12 state_lock (file=0x4116ba "/var/lib/alsa/asound.state", lock=1, timeout=10) at lock.c:118 #13 0x000000000040a38a in load_state (file=0x4116ba "/var/lib/alsa/asound.state", initfile=0x41169e "/usr/share/alsa/init/00main", cardname=0x7fffffffe29d "0", do_init=1) at state.c:1660 #14 0x0000000000405ba0 in main (argc=<optimized out>, argv=0x7fffffffdf78) at alsactl.c:354 Looks like a bad sprintf() in state_lock_() in lock.c Created attachment 347054 [details, diff]
Fix for buffer overflow crash by using snprintf()
Looks like upstream has a fix as well but its not optimal because it uses sprintf() still. http://git.alsa-project.org/?p=alsa-utils.git;a=commit;h=95788fea25c1a59985828d4b91af0772d077600b (In reply to comment #0) > Created attachment 347050 [details] > Strace log of alsactl getting killed Fixed in tree with upstream patch. Same patch used both in Fedora, and ArchLinux too. Imported bunch of other important upstream patches while at it. (In reply to comment #3) > Looks like upstream has a fix as well but its not optimal because it uses > sprintf() still. > > http://git.alsa-project.org/?p=alsa-utils.git;a=commit; > h=95788fea25c1a59985828d4b91af0772d077600b Sorry I didn't see this in time. Could you please post this to upstream directly? +*alsa-utils-1.0.27-r1 (01 May 2013) + + 01 May 2013; Samuli Suominen <ssuominen@gentoo.org> + +alsa-utils-1.0.27-r1.ebuild, +files/alsa-utils-1.0.27-alsactl.patch, + +files/alsa-utils-1.0.27-arecord.patch, + +files/alsa-utils-1.0.27-service.patch: + Fix typing error in alsa-restore.service systemd file. Fix missing break to + the capture loop in arecord. Fix buffer overflow in alsactl wrt #468160 by + "John" Or I don't mind if you want to add your version of patch to the tree as well after posting it to upstream as -r2. If you think that is necessary. (In reply to comment #5) > Or I don't mind if you want to add your version of patch to the tree as well > after posting it to upstream as -r2. If you think that is necessary. I submitted the patch stream. So if its accepted we'll get it in the next release. If this is fixed in the tree I'm happy. *** Bug 468354 has been marked as a duplicate of this bug. *** |