Ubuntu
liblockfile package

[SRU] liblockfile buffer overflow with high pid numbers

Bug #1011477 reported by Björn Jacke
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
liblockfile (Ubuntu)
Fix Released
Medium
Tyler Hicks
Precise
Fix Released
Undecided
Unassigned
Quantal
Won't Fix
Undecided
Unassigned

Bug Description

on our system (Ubuntu-Server 10.04) we set "sysctl -w kernel.pid_max = 4194304". When the pid counter is high, currently >3000000, then cron-apt terminates with a buffer overflow message:

root@sn:~# cron-apt
*** buffer overflow detected ***: dotlockfile terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f2ae90547e7]
/lib/libc.so.6(+0xfe6a0)[0x7f2ae90536a0]
/lib/libc.so.6(+0xfdb09)[0x7f2ae9052b09]
/lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7f2ae8fcaf6c]
/lib/libc.so.6(_IO_vfprintf+0x670)[0x7f2ae8f9aa10]
/lib/libc.so.6(__vsprintf_chk+0x99)[0x7f2ae9052ba9]
/lib/libc.so.6(__sprintf_chk+0x7f)[0x7f2ae9052aef]
dotlockfile[0x401e6e]
dotlockfile[0x40198a]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f2ae8f73c4d]
dotlockfile[0x4011f9]
======= Memory map: ========
00400000-00403000 r-xp 00000000 fb:02 2104182 /usr/bin/dotlockfile
00602000-00603000 r--p 00002000 fb:02 2104182 /usr/bin/dotlockfile
00603000-00604000 rw-p 00003000 fb:02 2104182 /usr/bin/dotlockfile
01f80000-01fa1000 rw-p 00000000 00:00 0 [heap]
7f2ae8503000-7f2ae8519000 r-xp 00000000 fb:02 131128 /lib/libgcc_s.so.1
7f2ae8519000-7f2ae8718000 ---p 00016000 fb:02 131128 /lib/libgcc_s.so.1
7f2ae8718000-7f2ae8719000 r--p 00015000 fb:02 131128 /lib/libgcc_s.so.1
7f2ae8719000-7f2ae871a000 rw-p 00016000 fb:02 131128 /lib/libgcc_s.so.1
7f2ae871a000-7f2ae8726000 r-xp 00000000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f2ae8726000-7f2ae8925000 ---p 0000c000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f2ae8925000-7f2ae8926000 r--p 0000b000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f2ae8926000-7f2ae8927000 rw-p 0000c000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f2ae8927000-7f2ae8931000 r-xp 00000000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2ae8931000-7f2ae8b30000 ---p 0000a000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2ae8b30000-7f2ae8b31000 r--p 00009000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2ae8b31000-7f2ae8b32000 rw-p 0000a000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2ae8b32000-7f2ae8b49000 r-xp 00000000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2ae8b49000-7f2ae8d48000 ---p 00017000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2ae8d48000-7f2ae8d49000 r--p 00016000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2ae8d49000-7f2ae8d4a000 rw-p 00017000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2ae8d4a000-7f2ae8d4c000 rw-p 00000000 00:00 0
7f2ae8d4c000-7f2ae8d54000 r-xp 00000000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f2ae8d54000-7f2ae8f53000 ---p 00008000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f2ae8f53000-7f2ae8f54000 r--p 00007000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f2ae8f54000-7f2ae8f55000 rw-p 00008000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f2ae8f55000-7f2ae90cf000 r-xp 00000000 fb:02 147402 /lib/libc-2.11.1.so
7f2ae90cf000-7f2ae92ce000 ---p 0017a000 fb:02 147402 /lib/libc-2.11.1.so
7f2ae92ce000-7f2ae92d2000 r--p 00179000 fb:02 147402 /lib/libc-2.11.1.so
7f2ae92d2000-7f2ae92d3000 rw-p 0017d000 fb:02 147402 /lib/libc-2.11.1.so
7f2ae92d3000-7f2ae92d8000 rw-p 00000000 00:00 0
7f2ae92d8000-7f2ae92f8000 r-xp 00000000 fb:02 147370 /lib/ld-2.11.1.so
7f2ae94eb000-7f2ae94ee000 rw-p 00000000 00:00 0
7f2ae94f5000-7f2ae94f7000 rw-p 00000000 00:00 0
7f2ae94f7000-7f2ae94f8000 r--p 0001f000 fb:02 147370 /lib/ld-2.11.1.so
7f2ae94f8000-7f2ae94f9000 rw-p 00020000 fb:02 147370 /lib/ld-2.11.1.so
7f2ae94f9000-7f2ae94fa000 rw-p 00000000 00:00 0
7fff43082000-7fff430a3000 rw-p 00000000 00:00 0 [stack]
7fff431ff000-7fff43200000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
root@sn:~# uname -a
Linux sn 2.6.35-32-server #68~lucid1-Ubuntu SMP Wed Mar 28 18:33:00 UTC 2012 x86_64 GNU/Linux
root@sn:~# ps
    PID TTY TIME CMD
3722057 pts/5 00:00:00 bash
3925974 pts/5 00:00:00 ps
root@sn:~# strace -f -o out cron-apt
*** buffer overflow detected ***: dotlockfile terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f27661f27e7]
/lib/libc.so.6(+0xfe6a0)[0x7f27661f16a0]
/lib/libc.so.6(+0xfdb09)[0x7f27661f0b09]
/lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7f2766168f6c]
/lib/libc.so.6(_IO_vfprintf+0x670)[0x7f2766138a10]
/lib/libc.so.6(__vsprintf_chk+0x99)[0x7f27661f0ba9]
/lib/libc.so.6(__sprintf_chk+0x7f)[0x7f27661f0aef]
dotlockfile[0x401e6e]
dotlockfile[0x40198a]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f2766111c4d]
dotlockfile[0x4011f9]
======= Memory map: ========
00400000-00403000 r-xp 00000000 fb:02 2104182 /usr/bin/dotlockfile
00602000-00603000 r--p 00002000 fb:02 2104182 /usr/bin/dotlockfile
00603000-00604000 rw-p 00003000 fb:02 2104182 /usr/bin/dotlockfile
01a13000-01a34000 rw-p 00000000 00:00 0 [heap]
7f27656a1000-7f27656b7000 r-xp 00000000 fb:02 131128 /lib/libgcc_s.so.1
7f27656b7000-7f27658b6000 ---p 00016000 fb:02 131128 /lib/libgcc_s.so.1
7f27658b6000-7f27658b7000 r--p 00015000 fb:02 131128 /lib/libgcc_s.so.1
7f27658b7000-7f27658b8000 rw-p 00016000 fb:02 131128 /lib/libgcc_s.so.1
7f27658b8000-7f27658c4000 r-xp 00000000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f27658c4000-7f2765ac3000 ---p 0000c000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f2765ac3000-7f2765ac4000 r--p 0000b000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f2765ac4000-7f2765ac5000 rw-p 0000c000 fb:02 147406 /lib/libnss_files-2.11.1.so
7f2765ac5000-7f2765acf000 r-xp 00000000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2765acf000-7f2765cce000 ---p 0000a000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2765cce000-7f2765ccf000 r--p 00009000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2765ccf000-7f2765cd0000 rw-p 0000a000 fb:02 147385 /lib/libnss_nis-2.11.1.so
7f2765cd0000-7f2765ce7000 r-xp 00000000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2765ce7000-7f2765ee6000 ---p 00017000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2765ee6000-7f2765ee7000 r--p 00016000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2765ee7000-7f2765ee8000 rw-p 00017000 fb:02 147369 /lib/libnsl-2.11.1.so
7f2765ee8000-7f2765eea000 rw-p 00000000 00:00 0
7f2765eea000-7f2765ef2000 r-xp 00000000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f2765ef2000-7f27660f1000 ---p 00008000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f27660f1000-7f27660f2000 r--p 00007000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f27660f2000-7f27660f3000 rw-p 00008000 fb:02 147379 /lib/libnss_compat-2.11.1.so
7f27660f3000-7f276626d000 r-xp 00000000 fb:02 147402 /lib/libc-2.11.1.so
7f276626d000-7f276646c000 ---p 0017a000 fb:02 147402 /lib/libc-2.11.1.so
7f276646c000-7f2766470000 r--p 00179000 fb:02 147402 /lib/libc-2.11.1.so
7f2766470000-7f2766471000 rw-p 0017d000 fb:02 147402 /lib/libc-2.11.1.so
7f2766471000-7f2766476000 rw-p 00000000 00:00 0
7f2766476000-7f2766496000 r-xp 00000000 fb:02 147370 /lib/ld-2.11.1.so
7f2766689000-7f276668c000 rw-p 00000000 00:00 0
7f2766693000-7f2766695000 rw-p 00000000 00:00 0
7f2766695000-7f2766696000 r--p 0001f000 fb:02 147370 /lib/ld-2.11.1.so
7f2766696000-7f2766697000 rw-p 00020000 fb:02 147370 /lib/ld-2.11.1.so
7f2766697000-7f2766698000 rw-p 00000000 00:00 0
7fff3660b000-7fff3662c000 rw-p 00000000 00:00 0 [stack]
7fff36765000-7fff36766000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted

When we switch back to a small pid number e.g. by "sysctl -w kernel.pid_max = 32768" cron-apt works again. The Problem also just occurs if the pid counter reached high values. If pid_max is set high but the counter is still low the problem doesn't show up.

[Test Case]
The overflow occurs when the decimal representation of the PID value is 7 characters or higher. So, set pid_max to a value that is 7 characters long, run through PIDs until we get one that is at least 7 characters (the while loop may take a long time), then create a lock file containing the PID (building the string containing the PID is where the overflow occurs). Watch for the `echo $BASHPID` and `cat ${lock}.lock` to print out the same PID number and make sure that it is at least 7 characters long.

Note that this test case obviously depends on a bash'ism, so use bash or adjust it as necessary. :)

$ lock=/var/lock/lockfile-create-test
$ lockfile-remove $lock
$ sudo sysctl -w kernel.pid_max=4194304
$ while ([ $BASHPID -lt 1000000 ]); do continue; done
$ (echo $BASHPID; lockfile-create $lock --use-pid; cat ${lock}.lock)

[Regression Potential]
Minimum. We've applied a patch to the same version of liblockfile in 13.04 and that has since been merged to debian with no reports of regressions.

See original description

Related branches

lp:ubuntu/raring-proposed/liblockfile
lp:debian/liblockfile
lp:~gandelman-a/ubuntu/precise/liblockfile/lp941968
Martin Pitt: Approve
Diff: 141 lines (+123/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/fix-buffer-overflows.patch (+113/-0)
debian/patches/series (+1/-0)
lp:~gandelman-a/ubuntu/quantal/liblockfile/lp941968
James Page: Approve
Ubuntu branches: Pending requested
Diff: 790 lines (+686/-10)
6 files modified
.pc/applied-patches (+1/-0)
.pc/fix-buffer-overflows.patch/lockfile.c (+542/-0)
debian/changelog (+9/-0)
debian/patches/fix-buffer-overflows.patch (+113/-0)
debian/patches/series (+1/-0)
lockfile.c (+20/-10)
lp:ubuntu/precise-proposed/liblockfile
lp:ubuntu/quantal-proposed/liblockfile
Revision history for this message
Björn Jacke (bjoern-j3e) wrote :
Björn Jacke (bjoern-j3e)
affects: cron-apt (Ubuntu) → liblockfile (Ubuntu)
Revision history for this message
Björn Jacke (bjoern-j3e) wrote :

the following patch on liblockfile's lockfile.c fixes the issue:

--- a/lockfile.c
+++ b/lockfile.c
@@ -175,7 +175,7 @@ int lockfile_create(const char *lockfile, int retries, int flags)
        struct stat st, st1;
        char *tmplock;
        char sysname[256];
- char buf[8];
+ char buf[sizeof("-18446744073709551616")+2];
        char *p;
        int sleeptime = 0;
        int statfailed = 0;

the fix was done by Stefan Metzmacher.

you should also have a look at this part of the code which looks like it can cause problems, too:

        if ((tmplock = (char *)malloc(strlen(lockfile)+32+1)) == NULL)
                return L_ERROR;
        strcpy(tmplock, lockfile);
        if ((p = strrchr(tmplock, '/')) == NULL)
                p = tmplock;
        else
                p++;
        sprintf(p, ".lk%05d%x%s",
                (int)getpid(), (int)time(NULL) & 15, sysname);

Revision history for this message
Stefan Metzmacher (metze) wrote :

The question is where does the magic '32' comes from.

sizeof(sysname) is 256...

Tyler Hicks (tyhicks)
Changed in liblockfile (Ubuntu):
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
status: New → In Progress
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've attached a debdiff containing a fix for this bug in bug #941968

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package liblockfile - 1.09-5ubuntu1

---------------
liblockfile (1.09-5ubuntu1) raring; urgency=low

  * debian/patches/fix-buffer-overflows.patch: Fix buffer overflows when
    building strings
    - Protect against overflows caused by long hostnames (LP: #941968)
    - Protect against overflows caused by large PID numbers (LP: #1011477)
 -- Tyler Hicks <email address hidden> Wed, 09 Jan 2013 12:23:07 -0800

Changed in liblockfile (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Björn Jacke (bjoern-j3e) wrote :

can't understand how this can get urgency=low if this can acntually prevent systems from getting updates. imho this is should be critical ...

Revision history for this message
Adam Gandelman (gandelman-a) wrote :
Download full text (3.8 KiB)

Just confirmed on precise 12.04

root@testing:/home/ubuntu# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.2 LTS"
root@testing:/home/ubuntu# dpkg -l | grep liblockfile
ii liblockfile-bin 1.09-3 support binaries for and cli utilities based on liblockfile
ii liblockfile1 1.09-3 NFS-safe locking library

root@testing:/home/ubuntu# echo $BASHPID
1012680
root@testing:/home/ubuntu# lockfile-create /tmp/lockfile --use-pid
*** buffer overflow detected ***: lockfile-create terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f14c2723817]
/lib/x86_64-linux-gnu/libc.so.6(+0x109710)[0x7f14c2722710]
/lib/x86_64-linux-gnu/libc.so.6(+0x108b79)[0x7f14c2721b79]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7f14c269513d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7f14c26634a7]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7f14c2721c14]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f14c2721b5d]
/usr/lib/x86_64-linux-gnu/liblockfile.so.1(+0x1b26)[0x7f14c29d9b26]
/usr/lib/x86_64-linux-gnu/liblockfile.so.1(lockfile_create+0x61)[0x7f14c29d9dd1]
lockfile-create[0x400f21]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f14c263a76d]
lockfile-create[0x4012c5]
======= Memory map: ========
00400000-00402000 r-xp 00000000 fd:01 4401 /usr/bin/lockfile-create
00602000-00603000 r--p 00002000 fd:01 4401 /usr/bin/lockfile-create
00603000-00604000 rw-p 00003000 fd:01 4401 /usr/bin/lockfile-create
0201a000-0203b000 rw-p 00000000 00:00 0 [heap]
7f14c2403000-7f14c2418000 r-xp 00000000 fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f14c2418000-7f14c2617000 ---p 00015000 fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f14c2617000-7f14c2618000 r--p 00014000 fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f14c2618000-7f14c2619000 rw-p 00015000 fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f14c2619000-7f14c27ce000 r-xp 00000000 fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so
7f14c27ce000-7f14c29cd000 ---p 001b5000 fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so
7f14c29cd000-7f14c29d1000 r--p 001b4000 fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so
7f14c29d1000-7f14c29d3000 rw-p 001b8000 fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so
7f14c29d3000-7f14c29d8000 rw-p 00000000 00:00 0
7f14c29d8000-7f14c29db000 r-xp 00000000 fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0
7f14c29db000-7f14c2bda000 ---p 00003000 fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0
7f14c2bda000-7f14c2bdb000 r--p 00002000 fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0
7f14c2bdb000-7f14c2bdc000 rw-p 00003000 fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1...

Read more...

Adam Gandelman (gandelman-a)
summary: - cron-apt buffer overflow with high pid numbers
+ [SRU] liblockfile buffer overflow with high pid numbers
description: updated
Revision history for this message
Martin Pitt (pitti) wrote :

Sponsored precise upload.

Changed in liblockfile (Ubuntu Precise):
status: New → In Progress
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

Thanks, Martin. I've also pushed a branch for the Quantal package and filed a MP (for lack of upload rights)

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Björn, or anyone else affected,

Accepted liblockfile into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/liblockfile/1.09-3ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in liblockfile (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
James Page (james-page) wrote :

Sponsored upload to quantal-proposed

Revision history for this message
Colin Watson (cjwatson) wrote :

Hello Björn, or anyone else affected,

Accepted liblockfile into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/liblockfile/1.09-4ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in liblockfile (Ubuntu Quantal):
status: New → Fix Committed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [liblockfile/quantal] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for quantal for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Philipp Kern (pkern) wrote :
Download full text (5.5 KiB)

Verifies just fine for me, given the instructions:

$ sudo sysctl -w kernel.pid_max=4194304
kernel.pid_max = 4194304

With the old build:

$ lock=/var/lock/lockfile-create-test
$ lockfile-remove $lock
$ while ([ $BASHPID -lt 1000000 ]); do continue; done
$ (echo $BASHPID; lockfile-create $lock --use-pid; cat ${lock}.lock)
1004029
*** buffer overflow detected ***: lockfile-create terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7fdecf313817]
/lib/x86_64-linux-gnu/libc.so.6(+0x109710)[0x7fdecf312710]
/lib/x86_64-linux-gnu/libc.so.6(+0x108b79)[0x7fdecf311b79]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fdecf28513d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fdecf2534a7]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fdecf311c14]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fdecf311b5d]
/usr/lib/x86_64-linux-gnu/liblockfile.so.1(+0x1b26)[0x7fdecf5c9b26]
/usr/lib/x86_64-linux-gnu/liblockfile.so.1(lockfile_create+0x61)[0x7fdecf5c9dd1]
lockfile-create[0x400f21]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fdecf22a76d]
lockfile-create[0x4012c5]
======= Memory map: ========
00400000-00402000 r-xp 00000000 fc:00 1575056 /usr/bin/lockfile-create
00602000-00603000 r--p 00002000 fc:00 1575056 /usr/bin/lockfile-create
00603000-00604000 rw-p 00003000 fc:00 1575056 /usr/bin/lockfile-create
01566000-01587000 rw-p 00000000 00:00 0 [heap]
7fdeceff3000-7fdecf008000 r-xp 00000000 fc:00 394091 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdecf008000-7fdecf207000 ---p 00015000 fc:00 394091 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdecf207000-7fdecf208000 r--p 00014000 fc:00 394091 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdecf208000-7fdecf209000 rw-p 00015000 fc:00 394091 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdecf209000-7fdecf3be000 r-xp 00000000 fc:00 394167 /lib/x86_64-linux-gnu/libc-2.15.so
7fdecf3be000-7fdecf5bd000 ---p 001b5000 fc:00 394167 /lib/x86_64-linux-gnu/libc-2.15.so
7fdecf5bd000-7fdecf5c1000 r--p 001b4000 fc:00 394167 /lib/x86_64-linux-gnu/libc-2.15.so
7fdecf5c1000-7fdecf5c3000 rw-p 001b8000 fc:00 394167 /lib/x86_64-linux-gnu/libc-2.15.so
7fdecf5c3000-7fdecf5c8000 rw-p 00000000 00:00 0
7fdecf5c8000-7fdecf5cb000 r-xp 00000000 fc:00 271728 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0
7fdecf5cb000-7fdecf7ca000 ---p 00003000 fc:00 271728 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0
7fdecf7ca000-7fdecf7cb000 r--p 00002000 fc:00 271728 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0
7fdecf7cb000-7fdecf7cc000 rw-p 00003000 fc:00 271728 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0
7fdecf7cc000-7fdecf7ee000 r-xp 00000000 fc:00 394028 /lib/x86_64-linux-gnu/ld-2.15.so
7fdecf9c3000-7fdecf9c6000 rw-p 00000000 00:00 0
7fdecf9eb000-7fdecf9ee000 rw-p 00000000 00:00 0
7fdecf9ee000-7fdecf9ef000 r--p 00022000 fc:...

Read more...

Philipp Kern (pkern)
tags: added: verification-done-precise
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package liblockfile - 1.09-3ubuntu0.1

---------------
liblockfile (1.09-3ubuntu0.1) precise-proposed; urgency=low

  * debian/patches/fix-buffer-overflows.patch: Fix buffer overflows when
    building strings
    - Protect against overflows caused by long hostnames (LP: #941968)
    - Protect against overflows caused by large PID numbers (LP: #1011477)
 -- Adam Gandelman <email address hidden> Thu, 20 Jun 2013 12:37:10 -0700

Changed in liblockfile (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in liblockfile (Ubuntu Quantal):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.