Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 899982 - sys-fs/lvm2: crashes from buffer overflow in sys-apps/systemd-utils libudev.so
Summary: sys-fs/lvm2: crashes from buffer overflow in sys-apps/systemd-utils libudev.so
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 847148
  Show dependency tree
 
Reported: 2023-03-07 04:56 UTC by Daniel Santos
Modified: 2023-03-07 20:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
emerge --info lvm2 (out,10.43 KB, text/plain)
2023-03-07 04:56 UTC, Daniel Santos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Santos 2023-03-07 04:56:04 UTC 
Created attachment 856450 [details]
emerge --info lvm2

I'm having this after doing a world rebuild (emerge -1ev @world). I haven't done any diagnostics aside from the backtrace in gdb. Rebuilding USE=-udev fixes the problem.


# gdb /sbin/lvs
GNU gdb (Gentoo 13.1 vanilla) 13.1
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://bugs.gentoo.org/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /sbin/lvs...
Reading symbols from /usr/lib/debug//sbin/lvm.debug...
(gdb) run
Starting program: /sbin/lvs 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
WARNING: Ignoring duplicate config value: filter
*** buffer overflow detected ***: terminated

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff7d3c30f in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7cec2c2 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7cd6472 in __GI_abort () at abort.c:79
#4  0x00007ffff7d30308 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7e4922a "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#5  0x00007ffff7dcb4d2 in __GI___fortify_fail (msg=msg@entry=0x7ffff7e491d0 "buffer overflow detected") at fortify_fail.c:26
#6  0x00007ffff7dc9f10 in __GI___chk_fail () at chk_fail.c:28
#7  0x00007ffff7dca330 in __read_chk (fd=fd@entry=4, buf=buf@entry=0x5555562e4b90, nbytes=nbytes@entry=4104, buflen=buflen@entry=4097) at read_chk.c:24
#8  0x00007ffff7ea554d in read (__nbytes=4104, __buf=0x5555562e4b90, __fd=4) at /usr/include/bits/unistd.h:38
#9  read_virtual_file_fd (fd=fd@entry=4, max_size=max_size@entry=18446744073709551615, ret_contents=ret_contents@entry=0x7fffffffc6e8, ret_size=ret_size@entry=0x7fffffffc6f8) at ../systemd-stable-251.10/src/basic/fileio.c:482
#10 0x00007ffff7ea57a4 in read_virtual_file_at (dir_fd=dir_fd@entry=-100, filename=filename@entry=0x7fffffffc660 "/sys/devices/pci0000:00/0000:00:01.1/0000:01:00.0/nvme/nvme0/nvme0n1/uevent", max_size=max_size@entry=18446744073709551615, 
    ret_contents=ret_contents@entry=0x7fffffffc6e8, ret_size=ret_size@entry=0x7fffffffc6f8) at ../systemd-stable-251.10/src/basic/fileio.c:572
#11 0x00007ffff7e9ccd3 in read_virtual_file (ret_size=0x7fffffffc6f8, ret_contents=0x7fffffffc6e8, max_size=18446744073709551615, filename=0x7fffffffc660 "/sys/devices/pci0000:00/0000:00:01.1/0000:01:00.0/nvme/nvme0/nvme0n1/uevent")
    at ../systemd-stable-251.10/src/basic/fileio.h:74
#12 read_full_virtual_file (ret_size=0x7fffffffc6f8, ret_contents=0x7fffffffc6e8, filename=0x7fffffffc660 "/sys/devices/pci0000:00/0000:00:01.1/0000:01:00.0/nvme/nvme0/nvme0n1/uevent") at ../systemd-stable-251.10/src/basic/fileio.h:77
#13 device_read_uevent_file (device=device@entry=0x555556309580) at ../systemd-stable-251.10/src/libsystemd/sd-device/sd-device.c:724
#14 0x00007ffff7e9d5b6 in sd_device_get_devname (device=0x555556309580, devname=devname@entry=0x7fffffffc770) at ../systemd-stable-251.10/src/libsystemd/sd-device/sd-device.c:1158
#15 0x00007ffff7e92856 in udev_device_get_devnode (udev_device=udev_device@entry=0x555556307a10) at ../systemd-stable-251.10/src/libudev/libudev-device.c:613
#16 0x000055555560370c in _insert_udev_dir (dir=0x555555ab8778 "/dev", udev=0x555555a9d730) at device/dev-cache.c:1057
#17 _insert_dirs (dirs=0x555555a79d70 <_cache+80>) at device/dev-cache.c:1098
#18 dev_cache_scan (cmd=cmd@entry=0x555555a903c0) at device/dev-cache.c:1199
#19 0x0000555555604a07 in setup_devices (cmd=cmd@entry=0x555555a903c0) at device/dev-cache.c:1998
#20 0x000055555562ce89 in label_scan (cmd=cmd@entry=0x555555a903c0) at label/label.c:1283
#21 0x00005555555eeffa in lvmcache_label_scan (cmd=cmd@entry=0x555555a903c0) at cache/lvmcache.c:1612
#22 0x00005555555d482d in process_each_lv (cmd=cmd@entry=0x555555a903c0, argc=<optimized out>, argv=<optimized out>, one_vgname=one_vgname@entry=0x0, one_lvname=one_lvname@entry=0x0, read_flags=read_flags@entry=0, handle=0x555555ad41e0, 
    check_single_lv=<optimized out>, process_single_lv=<optimized out>) at toollib.c:4023
#23 0x00005555555c9bbd in _do_report (cmd=cmd@entry=0x555555a903c0, handle=handle@entry=0x555555ad41e0, args=args@entry=0x7fffffffce90, single_args=single_args@entry=0x7fffffffced8) at reporter.c:1137
#24 0x00005555555c9e32 in _report (cmd=0x555555a903c0, argc=0, argv=0x7fffffffd4b0, report_type=<optimized out>) at reporter.c:1399
#25 0x00005555555b11cf in lvm_run_command (cmd=cmd@entry=0x555555a903c0, argc=<optimized out>, argc@entry=1, argv=<optimized out>, argv@entry=0x7fffffffd4a8) at lvmcmdline.c:3317
#26 0x00005555555b220e in lvm2_main (argc=1, argv=0x7fffffffd4a8) at lvmcmdline.c:3847
#27 0x00007ffff7cd72ca in __libc_start_call_main (main=main@entry=0x55555558af30 <main>, argc=argc@entry=1, argv=argv@entry=0x7fffffffd4a8) at ../sysdeps/nptl/libc_start_call_main.h:58
#28 0x00007ffff7cd7385 in __libc_start_main_impl (main=0x55555558af30 <main>, argc=1, argv=0x7fffffffd4a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffd498) at ../csu/libc-start.c:381
#29 0x000055555558aff1 in _start ()
(gdb) frame 9
#9  read_virtual_file_fd (fd=fd@entry=4, max_size=max_size@entry=18446744073709551615, ret_contents=ret_contents@entry=0x7fffffffc6e8, ret_size=ret_size@entry=0x7fffffffc6f8) at ../systemd-stable-251.10/src/basic/fileio.c:482
482                             k = read(fd, buf, size + 1);
(gdb) list
477                             ssize_t k;
478
479                             /* Read one more byte so we can detect whether the content of the
480                              * file has already changed or the guessed size for files from /proc
481                              * wasn't large enough . */
482                             k = read(fd, buf, size + 1);
483                             if (k >= 0) {
484                                     n = k;
485                                     break;
486                             }
(gdb)
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-03-07 16:35:53 UTC 
Can you reproduce this with systemd-utils-252*?

I'm inclined to not worry further until it's confirmed with >=sys-apps/systemd-252.7 or >=sys-apps/systemd-utils-252.7 because of the issues within systemd's buffer handling (or shenanigans) until those versions, which caused previous FPs with libudev.
Comment 2 Daniel Santos 2023-03-07 20:36:01 UTC 
(In reply to Sam James from comment #1)
> Can you reproduce this with systemd-utils-252*?

I added 252.7 to my package.accept and rebuilt lvm2 with USE=udev and it indeed works!

> I'm inclined to not worry further until it's confirmed with
> >=sys-apps/systemd-252.7 or >=sys-apps/systemd-utils-252.7 because of the
> issues within systemd's buffer handling (or shenanigans) until those
> versions, which caused previous FPs with libudev.

I'm going to leave those terrors for another person to be exasperated over. I have to analyze enough bad code as it is. :) Thank you, Sam.

So should 2.5.1 be removed from stable?
Comment 3 Mike Gilbert gentoo-dev 2023-03-07 20:49:12 UTC 
systemd-utils-252.7 was marked stable earlier today (bug 899946).