fixed 776161 1:2.10.0-1
quit
Hello Jakub Wilk,
I tried to reproduce the issue in a Debian Jessie 32 bit VM.
The stack smashing detector bytes are overwritten here:
(gdb) bt
#0 short2long_name (src=<optimized out>, dest=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:431
#1 create_long_filename (filename=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:439
#2 create_short_and_long_name (is_dot=<optimized out>, filename=<optimized
out>, directory_start=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:622
#3 read_directory (s=0xe789c0, mapping_index=9) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:744
#4 0x0071ef17 in init_directories (errp=<optimized out>, secs=<optimized out>,
heads=<optimized out>, dirname=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:897
#5 vvfat_open (bs=0xe77748, options=0x0, flags=24642, errp=0xbffff1c8) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:1176
#6 0x006ffc13 in bdrv_open_common (errp=<optimized out>, drv=<optimized out>,
flags=<optimized out>, options=<optimized out>, file=<optimized out>,
bs=<optimized out>) at /home/benutzer/qemu/qemu-2.1+dfsg/block.c:974
#7 bdrv_open (pbs=0xbffff2ac, filename=0xe72d80 "fat:storage/",
reference=0x9caa80 <bdrv_vvfat> "h\251x", options=0xe781b0, flags=57410,
drv=0x9caa80 <bdrv_vvfat>, errp=0xbffff2b0) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1485
#8 0x007006ec in bdrv_open_image (pbs=0xbffff2ac, filename=0xe72d80
"fat:storage/", options=0xe76728, bdref_key=0x781852 "file", flags=57410,
allow_none=true, errp=0xbffff2b0) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1287
#9 0x006ff840 in bdrv_open (pbs=0xe71ed8, filename=0xe72d80 "fat:storage/",
reference=0x0, options=0xe76728, flags=8258, drv=0x0, errp=0xbffff350) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1464
#10 0x00578363 in blockdev_init (file=0xea <error: Cannot access memory at
address 0xea>, bs_opts=0xe754b0, errp=0xbffff464) at
/home/benutzer/qemu/qemu-2.1+dfsg/blockdev.c:523
#11 0x005794b3 in drive_new (all_opts=0xe633e8, block_default_type=IF_IDE) at
/home/benutzer/qemu/qemu-2.1+dfsg/blockdev.c:930
#12 0x0058c94e in drive_init_func (opts=0xe633e8, opaque=0xe619a0) at
/home/benutzer/qemu/qemu-2.1+dfsg/vl.c:1138
#13 0x007629d5 in qemu_opts_foreach (list=0x0, func=0x58c930 <drive_init_func>,
opaque=0xe619a0, abort_on_failure=1) at
/home/benutzer/qemu/qemu-2.1+dfsg/util/qemu-option.c:1072
#14 0x0044a12b in main (argc=3, argv=0xbffff7a4, envp=0xbffff7b4) at
/home/benutzer/qemu/qemu-2.1+dfsg/vl.c:4345
Attached is some more information.
It looks like it got already fixed upstream [1].
First branch containing that fix was stable-2.10 [2].
So I guess closing this bug is ok?
Kind regards,
Bernhard
[1]
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=09ec4119fb5a48f6783c23e275e698d977a11ca9
[2]
https://git.qemu.org/?p=qemu.git;a=history;f=block/vvfat.c;h=a9e207f7f0a64e9c469a2ab45fcf7ca6063a2b4e;hb=refs/heads/stable-2.10
apt-get install qemu-system-x86 dpkg-dev
apt-get build-dep qemu-system-x86
apt-get source qemu-system-x86
DEB_BUILD_OPTIONS='nostrip' dpkg-buildpackage -b -uc -us
dpkg -i qemu-system-x86_2.1+dfsg-12+deb8u6_i386.deb
root@debian:/home/benutzer# dpkg -l | grep qemu
ii ipxe-qemu 1.0.0+git-20141004.86285d1-1 all
PXE boot firmware - ROM images for qemu
ii qemu-system-common 1:2.1+dfsg-12+deb8u6 i386
QEMU full system emulation binaries (common files)
ii qemu-system-x86 1:2.1+dfsg-12+deb8u6 i386
QEMU full system emulation binaries (x86)
ii qemu-utils 1:2.1+dfsg-12+deb8u6 i386
QEMU utilities
root@debian:/home/benutzer# gdb -q --args qemu-system-x86_64 -drive
file=fat:storage/
Reading symbols from qemu-system-x86_64...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/qemu-system-x86_64 -drive file=fat:storage/
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
vvfat storage/ chs 1024,16,63
*** stack smashing detected ***: /usr/bin/qemu-system-x86_64 terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb68e2773]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb69729b5]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfc96a)[0xb697296a]
/usr/bin/qemu-system-x86_64(_fini+0x0)[0x764c14]
/usr/bin/qemu-system-x86_64(+0x31e56f)[0x71e56f]
/usr/bin/qemu-system-x86_64(+0x31ef17)[0x71ef17]
/usr/bin/qemu-system-x86_64(+0x2ffc13)[0x6ffc13]
/usr/bin/qemu-system-x86_64(+0x3006ec)[0x7006ec]
/usr/bin/qemu-system-x86_64(+0x2ff840)[0x6ff840]
/usr/bin/qemu-system-x86_64(+0x178363)[0x578363]
/usr/bin/qemu-system-x86_64(+0x1794b3)[0x5794b3]
/usr/bin/qemu-system-x86_64(+0x18c94e)[0x58c94e]
/usr/bin/qemu-system-x86_64(+0x3629d5)[0x7629d5]
/usr/bin/qemu-system-x86_64(main+0x358b)[0x44a12b]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb688fa63]
/usr/bin/qemu-system-x86_64(+0x4de1a)[0x44de1a]
root@debian:/home/benutzer# gdb -q --args qemu-system-x86_64 -drive
file=fat:storage/
Reading symbols from qemu-system-x86_64...done.
(gdb) run
Starting program: /usr/bin/qemu-system-x86_64 -drive file=fat:storage/
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
vvfat storage/ chs 1024,16,63
*** stack smashing detected ***: /usr/bin/qemu-system-x86_64 terminated
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb68df773]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb696f9b5]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfc96a)[0xb696f96a]
/usr/bin/qemu-system-x86_64(_fini+0x0)[0x764c14]
/usr/bin/qemu-system-x86_64(+0x31e56f)[0x71e56f]
/usr/bin/qemu-system-x86_64(+0x31ef17)[0x71ef17]
/usr/bin/qemu-system-x86_64(+0x2ffc13)[0x6ffc13]
/usr/bin/qemu-system-x86_64(+0x3006ec)[0x7006ec]
/usr/bin/qemu-system-x86_64(+0x2ff840)[0x6ff840]
/usr/bin/qemu-system-x86_64(+0x178363)[0x578363]
/usr/bin/qemu-system-x86_64(+0x1794b3)[0x5794b3]
/usr/bin/qemu-system-x86_64(+0x18c94e)[0x58c94e]
/usr/bin/qemu-system-x86_64(+0x3629d5)[0x7629d5]
/usr/bin/qemu-system-x86_64(main+0x358b)[0x44a12b]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb688ca63]
/usr/bin/qemu-system-x86_64(+0x4de1a)[0x44de1a]
(gdb) set height 0
(gdb) set width 0
(gdb) bt
#0 0xb7fddc90 in __kernel_vsyscall ()
#1 0xb68a1367 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb68a2a23 in __GI_abort () at abort.c:89
#3 0xb68df778 in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0xb69d51fd "*** %s ***: %s terminated\n") at
../sysdeps/posix/libc_fatal.c:175
#4 0xb696f9b5 in __GI___fortify_fail (msg=msg@entry=0xb69d51e5 "stack smashing
detected") at fortify_fail.c:31
#5 0xb696f96a in __stack_chk_fail () at stack_chk_fail.c:28
#6 0x00764c14 in __stack_chk_fail_local ()
#7 0x0071e56f in read_directory (s=0xe789c0, mapping_index=6) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:823
#8 0x0071ef17 in init_directories (errp=<optimized out>, secs=<optimized out>,
heads=<optimized out>, dirname=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:897
#9 vvfat_open (bs=0xe77748, options=0x0, flags=24642, errp=0xbffff1c8) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:1176
#10 0x006ffc13 in bdrv_open_common (errp=<optimized out>, drv=<optimized out>,
flags=<optimized out>, options=<optimized out>, file=<optimized out>,
bs=<optimized out>) at /home/benutzer/qemu/qemu-2.1+dfsg/block.c:974
#11 bdrv_open (pbs=0xbffff2ac, filename=0xe72d80 "fat:storage/",
reference=0x9caa80 <bdrv_vvfat> "h\251x", options=0xe781b0, flags=57410,
drv=0x9caa80 <bdrv_vvfat>, errp=0xbffff2b0) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1485
#12 0x007006ec in bdrv_open_image (pbs=0xbffff2ac, filename=0xe72d80
"fat:storage/", options=0xe76728, bdref_key=0x781852 "file", flags=57410,
allow_none=true, errp=0xbffff2b0) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1287
#13 0x006ff840 in bdrv_open (pbs=0xe71ed8, filename=0xe72d80 "fat:storage/",
reference=0x0, options=0xe76728, flags=8258, drv=0x0, errp=0xbffff350) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1464
#14 0x00578363 in blockdev_init (file=0x0, bs_opts=0xe754b0, errp=0xbffff464)
at /home/benutzer/qemu/qemu-2.1+dfsg/blockdev.c:523
#15 0x005794b3 in drive_new (all_opts=0xe633e8, block_default_type=IF_IDE) at
/home/benutzer/qemu/qemu-2.1+dfsg/blockdev.c:930
#16 0x0058c94e in drive_init_func (opts=0xe633e8, opaque=0xe619a0) at
/home/benutzer/qemu/qemu-2.1+dfsg/vl.c:1138
#17 0x007629d5 in qemu_opts_foreach (list=0x0, func=0x58c930 <drive_init_func>,
opaque=0xe619a0, abort_on_failure=1) at
/home/benutzer/qemu/qemu-2.1+dfsg/util/qemu-option.c:1072
#18 0x0044a12b in main (argc=3, argv=0xbffff7a4, envp=0xbffff7b4) at
/home/benutzer/qemu/qemu-2.1+dfsg/vl.c:4345
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) b read_directory
Breakpoint 1 at 0x71d770: file /home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c,
line 699.
(gdb) ignore 1 100000
Will ignore next 100000 crossings of breakpoint 1.
(gdb) run
Starting program: /usr/bin/qemu-system-x86_64 -drive file=fat:storage/
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
vvfat storage/ chs 1024,16,63
*** stack smashing detected ***: /usr/bin/qemu-system-x86_64 terminated
...
(gdb) info b
Num Type Disp Enb Address What
1 breakpoint keep y 0x0071d770 in read_directory at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:699
breakpoint already hit 1 time
ignore next 99999 hits
--> The stack smashing happens already in the first execution.
(gdb) kill
Kill the program being debugged? (y or n) y
(gdb) run
Starting program: /usr/bin/qemu-system-x86_64 -drive file=fat:storage/
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
vvfat storage/ chs 1024,16,63
Breakpoint 1, read_directory (s=0xe789c0, mapping_index=0) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:699
699 {
1: x/i $pc
=> 0x71d770 <read_directory>: push %ebp
(gdb) disassemble read_directory
Dump of assembler code for function read_directory:
=> 0x0071d770 <+0>: push %ebp
0x0071d771 <+1>: push %edi
0x0071d772 <+2>: mov %eax,%ebp
0x0071d774 <+4>: push %esi
0x0071d775 <+5>: push %ebx
0x0071d776 <+6>: mov %edx,%eax
0x0071d778 <+8>: call 0x44de20 <__x86.get_pc_thunk.bx>
0x0071d77d <+13>: add $0x27edcb,%ebx
0x0071d783 <+19>: sub $0x1ec,%esp
0x0071d789 <+25>: mov %edx,0x3c(%esp)
0x0071d78d <+29>: mov 0x8040(%ebp),%edx
0x0071d793 <+35>: mov %gs:0x14,%ecx
0x0071d79a <+42>: mov %ecx,0x1dc(%esp)
0x0071d7a1 <+49>: xor %ecx,%ecx
...
0x0071de6b <+1787>: xor %gs:0x14,%ecx
0x0071de72 <+1794>: jne 0x71e56a <read_directory+3578>
...
(gdb) b *0x0071d7a1
Breakpoint 3 at 0x71d7a1: file /home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c,
line 699.
(gdb) cont
Continuing.
Breakpoint 3, 0x0071d7a1 in read_directory (s=0xe789c0, mapping_index=1) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:699
699 {
1: x/i $pc
=> 0x71d7a1 <read_directory+49>: xor %ecx,%ecx
(gdb) print/x 0x1dc+$esp
$1 = 0xbffff0dc
(gdb) watch *0xbffff0dc
Hardware watchpoint 4: *0xbffff0dc
(gdb) cont
Continuing.
Hardware watchpoint 4: *0xbffff0dc
Old value = 1953463552
New value = 1953463807
short2long_name (src=<optimized out>, dest=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:431
431 for(i=2*i+2;(i%26);i++)
1: x/i $pc
=> 0x71d9c4 <read_directory+596>: add $0x1,%ecx
(gdb) bt
#0 short2long_name (src=<optimized out>, dest=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:431
#1 create_long_filename (filename=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:439
#2 create_short_and_long_name (is_dot=<optimized out>, filename=<optimized
out>, directory_start=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:622
#3 read_directory (s=0xe789c0, mapping_index=9) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:744
#4 0x0071ef17 in init_directories (errp=<optimized out>, secs=<optimized out>,
heads=<optimized out>, dirname=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:897
#5 vvfat_open (bs=0xe77748, options=0x0, flags=24642, errp=0xbffff1c8) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:1176
#6 0x006ffc13 in bdrv_open_common (errp=<optimized out>, drv=<optimized out>,
flags=<optimized out>, options=<optimized out>, file=<optimized out>,
bs=<optimized out>) at /home/benutzer/qemu/qemu-2.1+dfsg/block.c:974
#7 bdrv_open (pbs=0xbffff2ac, filename=0xe72d80 "fat:storage/",
reference=0x9caa80 <bdrv_vvfat> "h\251x", options=0xe781b0, flags=57410,
drv=0x9caa80 <bdrv_vvfat>, errp=0xbffff2b0) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1485
#8 0x007006ec in bdrv_open_image (pbs=0xbffff2ac, filename=0xe72d80
"fat:storage/", options=0xe76728, bdref_key=0x781852 "file", flags=57410,
allow_none=true, errp=0xbffff2b0) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1287
#9 0x006ff840 in bdrv_open (pbs=0xe71ed8, filename=0xe72d80 "fat:storage/",
reference=0x0, options=0xe76728, flags=8258, drv=0x0, errp=0xbffff350) at
/home/benutzer/qemu/qemu-2.1+dfsg/block.c:1464
#10 0x00578363 in blockdev_init (file=0xea <error: Cannot access memory at
address 0xea>, bs_opts=0xe754b0, errp=0xbffff464) at
/home/benutzer/qemu/qemu-2.1+dfsg/blockdev.c:523
#11 0x005794b3 in drive_new (all_opts=0xe633e8, block_default_type=IF_IDE) at
/home/benutzer/qemu/qemu-2.1+dfsg/blockdev.c:930
#12 0x0058c94e in drive_init_func (opts=0xe633e8, opaque=0xe619a0) at
/home/benutzer/qemu/qemu-2.1+dfsg/vl.c:1138
#13 0x007629d5 in qemu_opts_foreach (list=0x0, func=0x58c930 <drive_init_func>,
opaque=0xe619a0, abort_on_failure=1) at
/home/benutzer/qemu/qemu-2.1+dfsg/util/qemu-option.c:1072
#14 0x0044a12b in main (argc=3, argv=0xbffff7a4, envp=0xbffff7b4) at
/home/benutzer/qemu/qemu-2.1+dfsg/vl.c:4345
(gdb) print buffer
$4 =
"x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000x\000"...
(gdb) print &buffer
$5 = (char (*)[258]) 0xbfffefda
(gdb) list
420 /* dest is assumed to hold 258 bytes, and pads with 0xffff up to next
multiple of 26 */
421 static inline int short2long_name(char* dest,const char* src)
422 {
423 int i;
424 int len;
425 for(i=0;i<129 && src[i];i++) {
426 dest[2*i]=src[i];
427 dest[2*i+1]=0;
428 }
429 len=2*i;
430 dest[2*i]=dest[2*i+1]=0;
431 for(i=2*i+2;(i%26);i++)
432 dest[i]=0xff;
433 return len;
434 }
(gdb) up
#1 create_long_filename (filename=<optimized out>, s=<optimized out>) at
/home/benutzer/qemu/qemu-2.1+dfsg/block/vvfat.c:439
439 int length=short2long_name(buffer,filename),
(gdb) list
436 static inline direntry_t* create_long_filename(BDRVVVFATState* s,const
char* filename)
437 {
438 char buffer[258];
439 int length=short2long_name(buffer,filename),
440 number_of_entries=(length+25)/26,i;
441 direntry_t* entry;
442
443 for(i=0;i<number_of_entries;i++) {
444 entry=array_get_next(&(s->directory));
445 entry->attributes=0xf;
446 entry->reserved[0]=0;
447 entry->begin=0;
448 entry->name[0]=(number_of_entries-i)|(i==0?0x40:0);
449 }
450 for(i=0;i<26*number_of_entries;i++) {
451 int offset=(i%26);
452 if(offset<10) offset=1+offset;
453 else if(offset<22) offset=14+offset-10;
454 else offset=28+offset-22;
455 entry=array_get(&(s->directory),s->directory.next-1-(i/26));
456 entry->name[offset]=buffer[i];
457 }
458 return
array_get(&(s->directory),s->directory.next-number_of_entries);
459 }
Fixed upstream in [1].
Appears first in upstream branch stable-2.10 [2].
[1]
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=09ec4119fb5a48f6783c23e275e698d977a11ca9
[2]
https://git.qemu.org/?p=qemu.git;a=history;f=block/vvfat.c;h=a9e207f7f0a64e9c469a2ab45fcf7ca6063a2b4e;hb=refs/heads/stable-2.10
