Dear Maintainer,
tried to locate the exact smashing.
It looks like the ioctl(EXT2_IOC_GETFLAGS) takes an int* parameter,
but writes 8 bytes instead of just sizeof(int) to the given address.
Kind regards,
Bernhard
Old value = (void *) 0xf759b62c03711000
New value = (void *) 0xf759b62c00000000
0x00007ffff7ec0cc7 in ioctl () at ../sysdeps/unix/syscall-template.S:120
120 ../sysdeps/unix/syscall-template.S: Datei oder Verzeichnis nicht
gefunden.
1: x/i $pc
=> 0x7ffff7ec0cc7 <ioctl+7>: cmp $0xfffffffffffff001,%rax
(gdb) bt
#0 0x00007ffff7ec0cc7 in ioctl () at ../sysdeps/unix/syscall-template.S:120
#1 0x00007ffff7fbcb17 in fgetflags (name=name@entry=0x7fffffffe83f
"/dev/dri/card0", flags=flags@entry=0x7fffffffe3e0) at
../../../../lib/e2p/fgetflags.c:90
#2 0x00005555555554d5 in list_attributes (name=name@entry=0x7fffffffe83f
"/dev/dri/card0") at ../../../misc/lsattr.c:85
#3 0x00005555555556c9 in lsattr_args (name=0x7fffffffe83f
"/dev/dri/card0") at ../../../misc/lsattr.c:134
#4 0x0000555555555369 in main (argc=<optimized out>, argv=<optimized out>)
at ../../../misc/lsattr.c:221
https://sources.debian.org/src/e2fsprogs/1.46.2-1/lib/e2p/fgetflags.c/#L90
https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tree/lib/e2p/fgetflags.c#n90
# single-use Bullseye/testing amd64 qemu VM 2021-04-04
echo "set enable-bracketed-paste off" >> /etc/inputrc; bash
apt update
# to speedup testing
mv /etc/manpath.config /etc/manpath.config.renamed
apt install libeatmydata1
export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libeatmydata.so
apt dist-upgrade
apt install systemd-coredump gdb valgrind \
e2fsprogs-dbgsym libext2fs2-dbgsym
.
benutzer@debian:~$ lsattr /dev/dri/card0
*** stack smashing detected ***: terminated
Abgebrochen (Speicherabzug geschrieben)
root@debian:~# coredumpctl list
TIME PID UID GID SIG COREFILE EXE
Sun 2021-04-04 14:22:59 CEST 1921 1000 1000 6 present /usr/bin/lsattr
root@debian:~# coredumpctl gdb 1921
PID: 1921 (lsattr)
UID: 1000 (benutzer)
GID: 1000 (benutzer)
Signal: 6 (ABRT)
Timestamp: Sun 2021-04-04 14:22:59 CEST (50s ago)
Command Line: lsattr /dev/dri/card0
Executable: /usr/bin/lsattr
Control Group: /user.slice/user-1000.slice/session-3.scope
Unit: session-3.scope
Slice: user-1000.slice
Session: 3
Owner UID: 1000 (benutzer)
Boot ID: de580d9e15564f17b195ec068c7129dc
Machine ID: 33f18f39d2a9438eb75b0ed52848afcd
Hostname: debian
Storage:
/var/lib/systemd/coredump/core.lsattr.1000.de580d9e15564f17b195ec068c7129dc.1921.1617538979000000.zst
Message: Process 1921 (lsattr) of user 1000 dumped core.
Stack trace of thread 1921:
#0 0x00007f7ea4286ce1 __GI_raise (libc.so.6 + 0x3bce1)
#1 0x00007f7ea4270537 __GI_abort (libc.so.6 + 0x25537)
#2 0x00007f7ea42c9768 __libc_message (libc.so.6 + 0x7e768)
#3 0x00007f7ea4358652 __GI___fortify_fail (libc.so.6 +
0x10d652)
#4 0x00007f7ea4358630 __stack_chk_fail (libc.so.6 + 0x10d630)
#5 0x00007f7ea443bbd6 fgetflags (libe2p.so.2 + 0x3bd6)
#6 0x0000557d54ea24d5 n/a (lsattr + 0x14d5)
#7 0x0000557d54ea26c9 n/a (lsattr + 0x16c9)
#8 0x0000557d54ea2369 n/a (lsattr + 0x1369)
#9 0x00007f7ea4271d0a __libc_start_main (libc.so.6 + 0x26d0a)
#10 0x0000557d54ea23ea n/a (lsattr + 0x13ea)
...
Core was generated by `lsattr /dev/dri/card0'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht
gefunden.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f7ea4270537 in __GI_abort () at abort.c:79
#2 0x00007f7ea42c9768 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f7ea43d7c24 "*** %s ***: terminated\n") at
../sysdeps/posix/libc_fatal.c:155
#3 0x00007f7ea4358652 in __GI___fortify_fail (msg=msg@entry=0x7f7ea43d7c0c
"stack smashing detected") at fortify_fail.c:26
#4 0x00007f7ea4358630 in __stack_chk_fail () at stack_chk_fail.c:24
#5 0x00007f7ea443bbd6 in fgetflags () from /lib/x86_64-linux-gnu/libe2p.so.2
#6 0x0000557d54ea24d5 in ?? ()
#7 0x0000557d54ea26c9 in ?? ()
#8 0x0000557d54ea2369 in ?? ()
#9 0x00007f7ea4271d0a in __libc_start_main (main=0x557d54ea21d0, argc=2,
argv=0x7ffda1e5c978, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffda1e5c968) at ../csu/libc-start.c:308
#10 0x0000557d54ea23ea in ?? ()
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f7ea4270537 in __GI_abort () at abort.c:79
#2 0x00007f7ea42c9768 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7f7ea43d7c24 "*** %s ***: terminated\n") at
../sysdeps/posix/libc_fatal.c:155
#3 0x00007f7ea4358652 in __GI___fortify_fail (msg=msg@entry=0x7f7ea43d7c0c
"stack smashing detected") at fortify_fail.c:26
#4 0x00007f7ea4358630 in __stack_chk_fail () at stack_chk_fail.c:24
#5 0x00007f7ea443bbd6 in fgetflags (name=name@entry=0x7ffda1e5e851
"/dev/dri/card0", flags=flags@entry=0x7ffda1e5c760) at
../../../../lib/e2p/fgetflags.c:105
#6 0x0000557d54ea24d5 in list_attributes (name=name@entry=0x7ffda1e5e851
"/dev/dri/card0") at ../../../misc/lsattr.c:85
#7 0x0000557d54ea26c9 in lsattr_args (name=0x7ffda1e5e851 "/dev/dri/card0") at
../../../misc/lsattr.c:134
#8 0x0000557d54ea2369 in main (argc=<optimized out>, argv=<optimized out>) at
../../../misc/lsattr.c:221
benutzer@debian:~$ valgrind lsattr /dev/dri/card0
==2054== Memcheck, a memory error detector
==2054== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2054== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==2054== Command: lsattr /dev/dri/card0
==2054==
*** stack smashing detected ***: terminated
==2054==
==2054== Process terminating with default action of signal 6 (SIGABRT)
==2054== at 0x48BBCE1: raise (raise.c:51)
==2054== by 0x48A5536: abort (abort.c:79)
==2054== by 0x48FE767: __libc_message (libc_fatal.c:155)
==2054== by 0x498D651: __fortify_fail (fortify_fail.c:26)
==2054== by 0x498D62F: __stack_chk_fail (stack_chk_fail.c:24)
==2054== by 0x484FBD5: fgetflags (fgetflags.c:105)
==2054== by 0x1094D4: list_attributes (lsattr.c:85)
==2054== by 0x1096C8: lsattr_args (lsattr.c:134)
==2054== by 0x109368: main (lsattr.c:221)
==2054==
==2054== HEAP SUMMARY:
==2054== in use at exit: 0 bytes in 0 blocks
==2054== total heap usage: 21 allocs, 21 frees, 4,285 bytes allocated
==2054==
==2054== All heap blocks were freed -- no leaks are possible
==2054==
==2054== For lists of detected and suppressed errors, rerun with: -s
==2054== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Abgebrochen (Speicherabzug geschrieben)
gdb -q --args lsattr /dev/dri/card0
set width 0
set pagination off
tb fgetflags
display/i $pc
run
disassemble fgetflags
tb * fgetflags+29
cont
print/x $rsp + 0x8
x/1xg $1
stepi
x/1xg $1
watch *(void**) $1
cont
bt
benutzer@debian:~$ gdb -q --args lsattr /dev/dri/card0
Reading symbols from lsattr...
Reading symbols from
/usr/lib/debug/.build-id/06/7ebd15723bbab8d5c0106d295a312912f5c201.debug...
(gdb) set width 0
(gdb) set pagination off
(gdb) tb fgetflags
Temporary breakpoint 1 at 0x10a0
(gdb) display/i $pc
1: x/i $pc
<error: No registers.>
(gdb) run
Starting program: /usr/bin/lsattr /dev/dri/card0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Temporary breakpoint 1, fgetflags (name=name@entry=0x7fffffffe83f
"/dev/dri/card0", flags=flags@entry=0x7fffffffe3e0) at
../../../../lib/e2p/fgetflags.c:52
52 ../../../../lib/e2p/fgetflags.c: Datei oder Verzeichnis nicht gefunden.
1: x/i $pc
=> 0x7ffff7fbcad0 <fgetflags>: push %r14
(gdb) disassemble fgetflags
Dump of assembler code for function fgetflags:
=> 0x00007ffff7fbcad0 <+0>: push %r14
0x00007ffff7fbcad2 <+2>: push %r13
0x00007ffff7fbcad4 <+4>: push %r12
0x00007ffff7fbcad6 <+6>: push %rbp
0x00007ffff7fbcad7 <+7>: push %rbx
0x00007ffff7fbcad8 <+8>: mov %rsi,%rbx
0x00007ffff7fbcadb <+11>: mov $0x20800,%esi
0x00007ffff7fbcae0 <+16>: sub $0x10,%rsp
0x00007ffff7fbcae4 <+20>: mov %fs:0x28,%rax
0x00007ffff7fbcaed <+29>: mov %rax,0x8(%rsp)
0x00007ffff7fbcaf2 <+34>: xor %eax,%eax
0x00007ffff7fbcaf4 <+36>: call 0x7ffff7fbc2c0 <open@plt>
0x00007ffff7fbcaf9 <+41>: cmp $0xffffffff,%eax
0x00007ffff7fbcafc <+44>: je 0x7ffff7fbcb88 <fgetflags+184>
0x00007ffff7fbcb02 <+50>: mov %eax,%edi
0x00007ffff7fbcb04 <+52>: mov %eax,%ebp
0x00007ffff7fbcb06 <+54>: lea 0x4(%rsp),%rdx
0x00007ffff7fbcb0b <+59>: mov $0x80086601,%esi
0x00007ffff7fbcb10 <+64>: xor %eax,%eax
0x00007ffff7fbcb12 <+66>: call 0x7ffff7fbc140 <ioctl@plt>
0x00007ffff7fbcb17 <+71>: mov %eax,%r12d
0x00007ffff7fbcb1a <+74>: cmp $0xffffffff,%eax
0x00007ffff7fbcb1d <+77>: je 0x7ffff7fbcb58 <fgetflags+136>
0x00007ffff7fbcb1f <+79>: movslq 0x4(%rsp),%rax
0x00007ffff7fbcb24 <+84>: mov %ebp,%edi
0x00007ffff7fbcb26 <+86>: mov %rax,(%rbx)
0x00007ffff7fbcb29 <+89>: call 0x7ffff7fbc170 <close@plt>
0x00007ffff7fbcb2e <+94>: mov 0x8(%rsp),%rax
0x00007ffff7fbcb33 <+99>: sub %fs:0x28,%rax
0x00007ffff7fbcb3c <+108>: jne 0x7ffff7fbcbd1 <fgetflags+257>
0x00007ffff7fbcb42 <+114>: add $0x10,%rsp
0x00007ffff7fbcb46 <+118>: mov %r12d,%eax
0x00007ffff7fbcb49 <+121>: pop %rbx
0x00007ffff7fbcb4a <+122>: pop %rbp
0x00007ffff7fbcb4b <+123>: pop %r12
0x00007ffff7fbcb4d <+125>: pop %r13
0x00007ffff7fbcb4f <+127>: pop %r14
0x00007ffff7fbcb51 <+129>: ret
0x00007ffff7fbcb52 <+130>: nopw 0x0(%rax,%rax,1)
0x00007ffff7fbcb58 <+136>: call 0x7ffff7fbc060 <__errno_location@plt>
0x00007ffff7fbcb5d <+141>: mov (%rax),%r14d
0x00007ffff7fbcb60 <+144>: mov %rax,%r13
0x00007ffff7fbcb63 <+147>: movslq 0x4(%rsp),%rax
0x00007ffff7fbcb68 <+152>: cmp $0x19,%r14d
0x00007ffff7fbcb6c <+156>: je 0x7ffff7fbcbb0 <fgetflags+224>
0x00007ffff7fbcb6e <+158>: mov %rax,(%rbx)
0x00007ffff7fbcb71 <+161>: mov %ebp,%edi
0x00007ffff7fbcb73 <+163>: call 0x7ffff7fbc170 <close@plt>
0x00007ffff7fbcb78 <+168>: test %r14d,%r14d
0x00007ffff7fbcb7b <+171>: je 0x7ffff7fbcba0 <fgetflags+208>
0x00007ffff7fbcb7d <+173>: mov %r14d,0x0(%r13)
0x00007ffff7fbcb81 <+177>: jmp 0x7ffff7fbcb2e <fgetflags+94>
0x00007ffff7fbcb83 <+179>: nopl 0x0(%rax,%rax,1)
0x00007ffff7fbcb88 <+184>: call 0x7ffff7fbc060 <__errno_location@plt>
0x00007ffff7fbcb8d <+189>: mov (%rax),%edx
0x00007ffff7fbcb8f <+191>: cmp $0x28,%edx
0x00007ffff7fbcb92 <+194>: je 0x7ffff7fbcb99 <fgetflags+201>
0x00007ffff7fbcb94 <+196>: cmp $0x6,%edx
0x00007ffff7fbcb97 <+199>: jne 0x7ffff7fbcba0 <fgetflags+208>
0x00007ffff7fbcb99 <+201>: movl $0x5f,(%rax)
0x00007ffff7fbcb9f <+207>: nop
0x00007ffff7fbcba0 <+208>: mov $0xffffffff,%r12d
0x00007ffff7fbcba6 <+214>: jmp 0x7ffff7fbcb2e <fgetflags+94>
0x00007ffff7fbcba8 <+216>: nopl 0x0(%rax,%rax,1)
0x00007ffff7fbcbb0 <+224>: movl $0x5f,0x0(%r13)
0x00007ffff7fbcbb8 <+232>: mov %ebp,%edi
0x00007ffff7fbcbba <+234>: mov $0x5f,%r14d
0x00007ffff7fbcbc0 <+240>: mov %rax,(%rbx)
0x00007ffff7fbcbc3 <+243>: call 0x7ffff7fbc170 <close@plt>
0x00007ffff7fbcbc8 <+248>: mov %r14d,0x0(%r13)
0x00007ffff7fbcbcc <+252>: jmp 0x7ffff7fbcb2e <fgetflags+94>
0x00007ffff7fbcbd1 <+257>: call 0x7ffff7fbc110 <__stack_chk_fail@plt>
End of assembler dump.
(gdb) tb * fgetflags+29
Temporary breakpoint 2 at 0x7ffff7fbcaed: file ../../../../lib/e2p/fgetflags.c,
line 52.
(gdb) cont
Continuing.
Temporary breakpoint 2, 0x00007ffff7fbcaed in fgetflags
(name=name@entry=0x7fffffffe83f "/dev/dri/card0",
flags=flags@entry=0x7fffffffe3e0) at ../../../../lib/e2p/fgetflags.c:52
52 in ../../../../lib/e2p/fgetflags.c
1: x/i $pc
=> 0x7ffff7fbcaed <fgetflags+29>: mov %rax,0x8(%rsp)
(gdb) print/x $rsp + 0x8
$1 = 0x7fffffffe3a8
(gdb) x/1xg $1
0x7fffffffe3a8: 0x0000000000000000
(gdb) stepi
0x00007ffff7fbcaf2 52 in ../../../../lib/e2p/fgetflags.c
1: x/i $pc
=> 0x7ffff7fbcaf2 <fgetflags+34>: xor %eax,%eax
(gdb) x/1xg $1
0x7fffffffe3a8: 0xf759b62c03711000
(gdb) watch *(void**) $1
Watchpoint 3: *(void**) $1
(gdb) cont
Continuing.
Watchpoint 3: *(void**) $1
Old value = (void *) 0xf759b62c03711000
New value = (void *) 0xf759b62c00000000
0x00007ffff7ec0cc7 in ioctl () at ../sysdeps/unix/syscall-template.S:120
120 ../sysdeps/unix/syscall-template.S: Datei oder Verzeichnis nicht
gefunden.
1: x/i $pc
=> 0x7ffff7ec0cc7 <ioctl+7>: cmp $0xfffffffffffff001,%rax
(gdb) bt
#0 0x00007ffff7ec0cc7 in ioctl () at ../sysdeps/unix/syscall-template.S:120
#1 0x00007ffff7fbcb17 in fgetflags (name=name@entry=0x7fffffffe83f
"/dev/dri/card0", flags=flags@entry=0x7fffffffe3e0) at
../../../../lib/e2p/fgetflags.c:90
#2 0x00005555555554d5 in list_attributes (name=name@entry=0x7fffffffe83f
"/dev/dri/card0") at ../../../misc/lsattr.c:85
#3 0x00005555555556c9 in lsattr_args (name=0x7fffffffe83f "/dev/dri/card0") at
../../../misc/lsattr.c:134
#4 0x0000555555555369 in main (argc=<optimized out>, argv=<optimized out>) at
../../../misc/lsattr.c:221
(gdb) up
#1 0x00007ffff7fbcb17 in fgetflags (name=name@entry=0x7fffffffe83f
"/dev/dri/card0", flags=flags@entry=0x7fffffffe3e0) at
../../../../lib/e2p/fgetflags.c:90
90 ../../../../lib/e2p/fgetflags.c: Datei oder Verzeichnis nicht gefunden.
(gdb) print sizeof(f)
$2 = 4
https://sources.debian.org/src/e2fsprogs/1.46.2-1/lib/e2p/fgetflags.c/#L90
https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/tree/lib/e2p/fgetflags.c#n90
gdb -q --args lsattr /dev/dri/card0
tb fgetflags
set width 0
set pagination off
run
tb ioctl
cont
up
