stress-ng in xenial segfaults on dup stressor on arm64
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
stress-ng (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Xenial |
Won't Fix
|
High
|
Colin Ian King |
Bug Description
== SRU justification, Xenial ==
When running the --dup stressor with stress-ng with a process that is allowed to open more than 64K file descriptors we trigger a segfault because of an array overflow.
== Fix ==
A simple fix is required, just a bounds check on the maximum size max_fd to limit it to the size of the fds array.
== Testcase ==
stress-ng on arm64 with the --dup stressor will trigger this quite easily. The bug was found during regression testing of the previous xenial stress-ng upload.
stress-ng --dup
without the fix this will segfault. with the fix it works correctly.
== Regression Potential ==
Low. This affects one stress case in stress-ng, the fix is localized and it a backport from an upstream stress-ng fix that has been working for several years w/o problem.
----------------
Using host libthread_db library "/lib/aarch64-
stress-ng: info: [10979] defaulting to a 86400 second run per stressor
stress-ng: info: [10979] dispatching hogs: 1 dup
stress-ng: info: [10979] cache allocate: using built-in defaults as unable to determine cache details
stress-ng: info: [10979] cache allocate: default cache size: 2048K
[New process 10982]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/aarch64-
65536 1048573
Thread 2.1 "stress-ng-dup" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xffffb7ff1000 (LWP 10982)]
0x00000000004191f0 in stress_dup (counter=
at stress-dup.c:63
63 fds[i] = dup(fds[0]);
This requires a fix from commit:
67d872611b860a7
From: Colin Ian King <email address hidden>
Date: Tue, 8 Nov 2016 15:50:20 +0000
Subject: [PATCH] treewide: remove messy #if defined() build checks
diff --git a/stress-dup.c b/stress-dup.c
index 2fe2d6a6..0ac13fee 100644
--- a/stress-dup.c
+++ b/stress-dup.c
@@ -45,7 +45,7 @@ int stress_dup(
const char *name)
{
int fds[STRESS_FD_MAX];
- const size_t max_fd = stress_
+ size_t max_fd = stress_
size_t i;
#if defined(__linux__)
bool do_dup3 = true;
@@ -53,6 +53,9 @@ int stress_dup(
+ if (max_fd > SIZEOF_ARRAY(fds))
+ max_fd = SIZEOF_ARRAY(fds);
+
fds[0] = open("/dev/zero", O_RDONLY);
if (fds[0] < 0) {
Changed in stress-ng: | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Colin Ian King (colin-king) |
no longer affects: | stress-ng |
description: | updated |
Changed in stress-ng (Ubuntu Xenial): | |
assignee: | nobody → Colin Ian King (colin-king) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in stress-ng (Ubuntu Xenial): | |
status: | In Progress → Fix Released |
status: | Fix Released → Fix Committed |
Changed in stress-ng (Ubuntu): | |
status: | New → Won't Fix |
Hello Colin, or anyone else affected,
Accepted stress-ng into xenial-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ stress- ng/0.05. 23-1ubuntu4 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification- needed- xenial to verification- done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed- xenial. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.