blkparse: out-of-bounds access in function check_cpu_map while reading trace from stdin
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
blktrace (Ubuntu) | Status tracked in Oracular | |||||
Focal |
New
|
Undecided
|
Unassigned | |||
Jammy |
New
|
Undecided
|
Unassigned | |||
Noble |
New
|
Undecided
|
Unassigned | |||
Oracular |
Fix Released
|
Undecided
|
Jacob Martin |
Bug Description
A crash occurs with some blktrace output files, but not all. I've attached a blktrace file taken directly from the output of `blktrace -d $DEV -o - > $TMPFILE`.
When reading from piped input, blkparse does not track online CPUs, and pdi->cpu_map_max will be 0. The check_cpu_map function is invoked when a sequence number changes in an unexpected way (i.e. is not prev + 1). When pdi->cpu_map_max is 0, the check_cpu_map function will perform a malloc of size 0 and then attempt to use memset to initialize it. The size used for memset does not match the size used for the malloc, and hence an out-of-bounds write occurs.
Patches are available in the upstream blktrace repo that together resolve this issue:
- https:/
- https:/
In Noble, this results in a SIGABRT with "*** buffer overflow detected***". In earlier series, the out-of-bounds access occurs silently.
Noble Valgrind output:
$ cat blktrace-
...
==11486==
*** buffer overflow detected ***: terminated
==11486==
==11486== Process terminating with default action of signal 6 (SIGABRT)
==11486== at 0x4947628: __pthread_
==11486== by 0x48FCB3B: raise (raise.c:26)
==11486== by 0x48E7DFF: abort (abort.c:79)
==11486== by 0x493ABEF: __libc_message_impl (libc_fatal.c:132)
==11486== by 0x49B81A7: __fortify_fail (fortify_fail.c:24)
==11486== by 0x49B79E3: __chk_fail (chk_fail.c:28)
==11486== by 0x49B8A77: __memset_chk (memset_chk.c:25)
==11486== by 0x10FDEF: UnknownInlinedFun (string_
==11486== by 0x10FDEF: UnknownInlinedFun (blkparse.c:2026)
==11486== by 0x10FDEF: UnknownInlinedFun (blkparse.c:2071)
==11486== by 0x10FDEF: show_entries_rb (blkparse.c:2131)
==11486== by 0x10AA1B: UnknownInlinedFun (blkparse.c:2634)
==11486== by 0x10AA1B: UnknownInlinedFun (blkparse.c:2655)
==11486== by 0x10AA1B: main (blkparse.c:2939)
...
Jammy Valgrind output:
$ cat blktrace-
...
==11513== Invalid write of size 8
==11513== at 0x10E8F4: memset (string_
==11513== by 0x10E8F4: check_cpu_map (blkparse.c:2026)
==11513== by 0x10E8F4: check_sequence (blkparse.c:2071)
==11513== by 0x10E8F4: show_entries_rb (blkparse.c:2131)
==11513== by 0x10A627: do_pipe (blkparse.c:2634)
==11513== by 0x10A627: do_fifo (blkparse.c:2655)
==11513== by 0x10A627: main (blkparse.c:2939)
==11513== Address 0x4b6dcd0 is 0 bytes after a block of size 0 alloc'd
==11513== at 0x4885250: malloc (vg_replace_
==11513== by 0x10E8EB: check_cpu_map (blkparse.c:2025)
==11513== by 0x10E8EB: check_sequence (blkparse.c:2071)
==11513== by 0x10E8EB: show_entries_rb (blkparse.c:2131)
==11513== by 0x10A627: do_pipe (blkparse.c:2634)
==11513== by 0x10A627: do_fifo (blkparse.c:2655)
==11513== by 0x10A627: main (blkparse.c:2939)
Related branches
- Vladimir Petko (community): Approve
- git-ubuntu import: Pending requested
-
Diff: 98 lines (+70/-0)4 files modifieddebian/changelog (+13/-0)
debian/patches/13_blkparse_check-cpu-map_skip_on_pipe.patch (+30/-0)
debian/patches/14_blkparse_fix_check-cpu-map_memset_size.patch (+25/-0)
debian/patches/series (+2/-0)
- Vladimir Petko (community): Needs Fixing
- git-ubuntu import: Pending requested
-
Diff: 98 lines (+70/-0)4 files modifieddebian/changelog (+13/-0)
debian/patches/13_blkparse_check-cpu-map_skip_on_pipe.patch (+30/-0)
debian/patches/14_blkparse_fix_check-cpu-map_memset_size.patch (+25/-0)
debian/patches/series (+2/-0)
This bug was fixed in the package blktrace - 1.2.0-5ubuntu4
---------------
blktrace (1.2.0-5ubuntu4) oracular; urgency=medium
* Fix out-of-bounds access in the check_cpu_map function of blkparse patches/ 13_blkparse_ check-cpu- map_skip_ on_pipe. patch: patches/ 14_blkparse_ fix_check- cpu-map_ memset_ size.patch:
when reading from stdin. (LP: #2073170)
- debian/
blkparse: skip check_cpu_map with pipe input. Thanks to Jeff
Mahoney <email address hidden>.
- debian/
blkparse: fix incorrectly sized memset in check_cpu_map. Thanks
to Jeff Mahoney <email address hidden>.
-- Jacob Martin <email address hidden> Mon, 22 Jul 2024 12:29:40 -0500