Ubuntu
blktrace package

blkparse: out-of-bounds access in function check_cpu_map while reading trace from stdin

  1. Focal (20.04)
  2. Bug #2073170
Bug #2073170 reported by Jacob Martin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
blktrace (Ubuntu)
Status tracked in Oracular
Focal
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Noble
New
Undecided
Unassigned
Oracular
Fix Released
Undecided
Jacob Martin

Bug Description

A crash occurs with some blktrace output files, but not all. I've attached a blktrace file taken directly from the output of `blktrace -d $DEV -o - > $TMPFILE`.

When reading from piped input, blkparse does not track online CPUs, and pdi->cpu_map_max will be 0. The check_cpu_map function is invoked when a sequence number changes in an unexpected way (i.e. is not prev + 1). When pdi->cpu_map_max is 0, the check_cpu_map function will perform a malloc of size 0 and then attempt to use memset to initialize it. The size used for memset does not match the size used for the malloc, and hence an out-of-bounds write occurs.

Patches are available in the upstream blktrace repo that together resolve this issue:
- https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=ac416ab67cd7add0089c3bc668427e6b909eb59e
- https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=7f5d2c5173d72018aa29c583c9291ef10abaf8df

In Noble, this results in a SIGABRT with "*** buffer overflow detected***". In earlier series, the out-of-bounds access occurs silently.

Noble Valgrind output:
$ cat blktrace-kernel-trace-10521.tmp | valgrind blkparse -i - > blktrace-kernel-trace-10521.tmp.parsed
...
==11486==
*** buffer overflow detected ***: terminated
==11486==
==11486== Process terminating with default action of signal 6 (SIGABRT)
==11486== at 0x4947628: __pthread_kill_implementation (pthread_kill.c:44)
==11486== by 0x48FCB3B: raise (raise.c:26)
==11486== by 0x48E7DFF: abort (abort.c:79)
==11486== by 0x493ABEF: __libc_message_impl (libc_fatal.c:132)
==11486== by 0x49B81A7: __fortify_fail (fortify_fail.c:24)
==11486== by 0x49B79E3: __chk_fail (chk_fail.c:28)
==11486== by 0x49B8A77: __memset_chk (memset_chk.c:25)
==11486== by 0x10FDEF: UnknownInlinedFun (string_fortified.h:59)
==11486== by 0x10FDEF: UnknownInlinedFun (blkparse.c:2026)
==11486== by 0x10FDEF: UnknownInlinedFun (blkparse.c:2071)
==11486== by 0x10FDEF: show_entries_rb (blkparse.c:2131)
==11486== by 0x10AA1B: UnknownInlinedFun (blkparse.c:2634)
==11486== by 0x10AA1B: UnknownInlinedFun (blkparse.c:2655)
==11486== by 0x10AA1B: main (blkparse.c:2939)
...

Jammy Valgrind output:
$ cat blktrace-kernel-trace-10521.tmp | valgrind blkparse -i - > blktrace-kernel-trace-10521.tmp.parsed
...
==11513== Invalid write of size 8
==11513== at 0x10E8F4: memset (string_fortified.h:71)
==11513== by 0x10E8F4: check_cpu_map (blkparse.c:2026)
==11513== by 0x10E8F4: check_sequence (blkparse.c:2071)
==11513== by 0x10E8F4: show_entries_rb (blkparse.c:2131)
==11513== by 0x10A627: do_pipe (blkparse.c:2634)
==11513== by 0x10A627: do_fifo (blkparse.c:2655)
==11513== by 0x10A627: main (blkparse.c:2939)
==11513== Address 0x4b6dcd0 is 0 bytes after a block of size 0 alloc'd
==11513== at 0x4885250: malloc (vg_replace_malloc.c:442)
==11513== by 0x10E8EB: check_cpu_map (blkparse.c:2025)
==11513== by 0x10E8EB: check_sequence (blkparse.c:2071)
==11513== by 0x10E8EB: show_entries_rb (blkparse.c:2131)
==11513== by 0x10A627: do_pipe (blkparse.c:2634)
==11513== by 0x10A627: do_fifo (blkparse.c:2655)
==11513== by 0x10A627: main (blkparse.c:2939)

Related branches

~jacobmartin/ubuntu/+source/blktrace:lp2073170-check_cpu_map-oob-fix-oracular
Vladimir Petko (community): Approve
git-ubuntu import: Pending requested
Diff: 98 lines (+70/-0)
4 files modified
debian/changelog (+13/-0)
debian/patches/13_blkparse_check-cpu-map_skip_on_pipe.patch (+30/-0)
debian/patches/14_blkparse_fix_check-cpu-map_memset_size.patch (+25/-0)
debian/patches/series (+2/-0)
~jacobmartin/ubuntu/+source/blktrace:lp2073170-check_cpu_map-oob-fix-oracular
Vladimir Petko (community): Needs Fixing
git-ubuntu import: Pending requested
Diff: 98 lines (+70/-0)
4 files modified
debian/changelog (+13/-0)
debian/patches/13_blkparse_check-cpu-map_skip_on_pipe.patch (+30/-0)
debian/patches/14_blkparse_fix_check-cpu-map_memset_size.patch (+25/-0)
debian/patches/series (+2/-0)
Revision history for this message
Jacob Martin (jacobmartin) wrote :
Changed in blktrace (Ubuntu Oracular):
status: New → In Progress
assignee: nobody → Jacob Martin (jacobmartin)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package blktrace - 1.2.0-5ubuntu4

---------------
blktrace (1.2.0-5ubuntu4) oracular; urgency=medium

  * Fix out-of-bounds access in the check_cpu_map function of blkparse
    when reading from stdin. (LP: #2073170)
    - debian/patches/13_blkparse_check-cpu-map_skip_on_pipe.patch:
      blkparse: skip check_cpu_map with pipe input. Thanks to Jeff
      Mahoney <email address hidden>.
    - debian/patches/14_blkparse_fix_check-cpu-map_memset_size.patch:
      blkparse: fix incorrectly sized memset in check_cpu_map. Thanks
      to Jeff Mahoney <email address hidden>.

 -- Jacob Martin <email address hidden> Mon, 22 Jul 2024 12:29:40 -0500

Changed in blktrace (Ubuntu Oracular):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.