Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 468354 - media-sound/alsa-utils-1.0.27 buffer overflow in alsactl
Summary: media-sound/alsa-utils-1.0.27 buffer overflow in alsactl
Status: RESOLVED DUPLICATE of bug 468160
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal critical (vote)
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-03 05:57 UTC by Alex Turbov
Modified: 2013-05-03 06:50 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
reserve enough space for sprintf() (fix-buffer-overflow.patch,689 bytes, patch)
2013-05-03 06:00 UTC, Alex Turbov 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Turbov 2013-05-03 05:57:24 UTC 
(re)starting /etc/init.d/alsasound leads to a crash. after a quick investigation I've found a problem code which is use unsafe sprintf(). attached patch would fix a problem.



Reproducible: Always

Steps to Reproduce:
1.execute `alsactl -I -f /var/lib/alsa/asound.state restore 0`
2.
3.
Actual Results:  
root@gentop /home/zaufi # alsactl -I -f /var/lib/alsa/asound.state restore 0
*** buffer overflow detected ***: alsactl terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f683c6a12e7]
/lib64/libc.so.6(+0xfe3e0)[0x7f683c69f3e0]
/lib64/libc.so.6(+0xfd869)[0x7f683c69e869]
/lib64/libc.so.6(_IO_default_xsputn+0x89)[0x7f683c61af69]
/lib64/libc.so.6(_IO_vfprintf+0x531)[0x7f683c5ea7e1]
/lib64/libc.so.6(__vsprintf_chk+0x88)[0x7f683c69e8f8]
/lib64/libc.so.6(__sprintf_chk+0x7d)[0x7f683c69e84d]
alsactl[0x40bc34]
alsactl[0x40b6ea]
alsactl[0x406726]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f683c5c5c05]
alsactl[0x406905]
======= Memory map: ========
00400000-00417000 r-xp 00000000 00:0d 16999543                           /usr/sbin/alsactl
00616000-00617000 r--p 00016000 00:0d 16999543                           /usr/sbin/alsactl
00617000-00618000 rw-p 00017000 00:0d 16999543                           /usr/sbin/alsactl
00618000-00619000 rw-p 00000000 00:00 0 
01324000-01345000 rw-p 00000000 00:00 0                                  [heap]
7f683bf7f000-7f683bf94000 r-xp 00000000 00:0d 15321331                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.0/libgcc_s.so.1
7f683bf94000-7f683c193000 ---p 00015000 00:0d 15321331                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.0/libgcc_s.so.1
7f683c193000-7f683c194000 r--p 00014000 00:0d 15321331                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.0/libgcc_s.so.1
7f683c194000-7f683c195000 rw-p 00015000 00:0d 15321331                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.8.0/libgcc_s.so.1
7f683c195000-7f683c19c000 r-xp 00000000 00:0d 15337605                   /lib64/librt-2.17.so
7f683c19c000-7f683c39b000 ---p 00007000 00:0d 15337605                   /lib64/librt-2.17.so
7f683c39b000-7f683c39c000 r--p 00006000 00:0d 15337605                   /lib64/librt-2.17.so
7f683c39c000-7f683c39d000 rw-p 00007000 00:0d 15337605                   /lib64/librt-2.17.so
7f683c39d000-7f683c39f000 r-xp 00000000 00:0d 15337595                   /lib64/libdl-2.17.so
7f683c39f000-7f683c59f000 ---p 00002000 00:0d 15337595                   /lib64/libdl-2.17.so
7f683c59f000-7f683c5a0000 r--p 00002000 00:0d 15337595                   /lib64/libdl-2.17.so
7f683c5a0000-7f683c5a1000 rw-p 00003000 00:0d 15337595                   /lib64/libdl-2.17.so
7f683c5a1000-7f683c742000 r-xp 00000000 00:0d 15337617                   /lib64/libc-2.17.so
7f683c742000-7f683c942000 ---p 001a1000 00:0d 15337617                   /lib64/libc-2.17.so
7f683c942000-7f683c946000 r--p 001a1000 00:0d 15337617                   /lib64/libc-2.17.so
7f683c946000-7f683c948000 rw-p 001a5000 00:0d 15337617                   /lib64/libc-2.17.so
7f683c948000-7f683c94c000 rw-p 00000000 00:00 0 
7f683c94c000-7f683c963000 r-xp 00000000 00:0d 15337599                   /lib64/libpthread-2.17.so
7f683c963000-7f683cb63000 ---p 00017000 00:0d 15337599                   /lib64/libpthread-2.17.so
7f683cb63000-7f683cb64000 r--p 00017000 00:0d 15337599                   /lib64/libpthread-2.17.so
7f683cb64000-7f683cb65000 rw-p 00018000 00:0d 15337599                   /lib64/libpthread-2.17.so
7f683cb65000-7f683cb69000 rw-p 00000000 00:00 0 
7f683cb69000-7f683cc65000 r-xp 00000000 00:0d 15337594                   /lib64/libm-2.17.so
7f683cc65000-7f683ce64000 ---p 000fc000 00:0d 15337594                   /lib64/libm-2.17.so
7f683ce64000-7f683ce65000 r--p 000fb000 00:0d 15337594                   /lib64/libm-2.17.so
7f683ce65000-7f683ce66000 rw-p 000fc000 00:0d 15337594                   /lib64/libm-2.17.so
7f683ce66000-7f683cf44000 r-xp 00000000 00:0d 16999435                   /usr/lib64/libasound.so.2.0.0
7f683cf44000-7f683d143000 ---p 000de000 00:0d 16999435                   /usr/lib64/libasound.so.2.0.0
7f683d143000-7f683d149000 r--p 000dd000 00:0d 16999435                   /usr/lib64/libasound.so.2.0.0
7f683d149000-7f683d14b000 rw-p 000e3000 00:0d 16999435                   /usr/lib64/libasound.so.2.0.0
7f683d14b000-7f683d16d000 r-xp 00000000 00:0d 15337616                   /lib64/ld-2.17.so
7f683d332000-7f683d337000 rw-p 00000000 00:00 0 
7f683d36a000-7f683d36c000 rw-p 00000000 00:00 0 
7f683d36c000-7f683d36d000 r--p 00021000 00:0d 15337616                   /lib64/ld-2.17.so
7f683d36d000-7f683d36e000 rw-p 00022000 00:0d 15337616                   /lib64/ld-2.17.so
7f683d36e000-7f683d36f000 rw-p 00000000 00:00 0 
7fffdfc6d000-7fffdfc8f000 rw-p 00000000 00:00 0                          [stack]
7fffdfd32000-7fffdfd33000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted


Expected Results:  
successfull execution

root@gentop /work # cave info
Package Manager Information:
    Package Name              paludis
    Package Version           1.2.0
    Build Date                2013-03-26T04:57:34+0400
    Built with CXX            x86_64-pc-linux-gnu-g++ 4.7.2
    Built with CXXFLAGS        -march=native -O3 -pipe -ftree-vectorize -fmerge-all-constants -minline-stringops-dynamically -pedantic
    Built with LDFLAGS        -Wl,-O1 -Wl,--sort-common -Wl,--as-needed

Environment Information:
    Format                    paludis
    Config dir                /etc/paludis
    Root                      /
    System Root               /
    World file                /var/lib/portage/world


Repository gentoo:
    format                    e
    location                  /usr/portage
    builddir                  /storage/tmp/paludis
    cache                     /usr/portage/metadata/md5-cache
    distdir                   /storage/soft/gentoo/distfiles
    eapi_when_unknown         0
    eapi_when_unspecified     0
    eclassdirs                /usr/portage/eclass
    layout                    traditional
    manifest_hashes           SHA256 SHA512 WHIRLPOOL
    names_cache               /var/cache/paludis/names
    newsdir                   /usr/portage/metadata/news
    profile_eapi_when_unspecified 0
    profile_layout            traditional
    profiles                  /usr/portage/profiles/default/linux/amd64/10.0/desktop
    securitydir               /usr/portage/metadata/glsa
    setsdir                   /usr/portage/sets
    sync                      rsync://rsync.gentoo.org/gentoo-portage
    sync_options              
    thin_manifests            false
    use_manifest              use
    write_cache               /usr/portage/metadata/cache
    Package information
        app-shells/bash       4.2_p45
        dev-java/java-config  2.1.12-r1
        dev-lang/python       2.7.4 3.2.4
        dev-util/ccache       3.1.9
        dev-util/cmake        2.8.11_rc3
        dev-util/pkgconfig    0.28
        sys-apps/baselayout   2.2
        sys-apps/openrc       0.11.8
        sys-apps/sandbox      2.6-r1
        sys-devel/autoconf    2.13 2.69
        sys-devel/automake    1.11.6 1.12.6 1.13.1 1.9.6-r3
        sys-devel/binutils    2.23.1
        sys-devel/gcc         4.7.2-r1 4.8.0
        sys-devel/gcc-config  1.8
        sys-devel/libtool     2.4.2
        sys-devel/make        3.82-r4
        sys-freebsd/freebsd-lib (none)
        sys-kernel/linux-headers 3.8
        sys-libs/glibc        2.17
        sys-libs/uclibc       (none)
Comment 1 Alex Turbov 2013-05-03 06:00:09 UTC 
Created attachment 347200 [details, diff]
reserve enough space for sprintf()

quick hack is to reserve enough space for sprintf() w/ amount reported by printing the value of std::numeric_limits<long>::digits10 from a sample C++ program on my machine. but better solution would be use snprintf() instead.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2013-05-03 06:50:30 UTC 

*** This bug has been marked as a duplicate of bug 468160 ***