Your message dated Tue, 16 Nov 2010 21:03:33 +0000 with message-id <e1pisgf-0003i5...@franck.debian.org> and subject line Bug#603439: fixed in gpsd 2.95-8 has caused the Debian Bug report #603439, regarding gpsd: SEGV when receiving short aivdm message type 26 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 603439: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603439 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Subject: gpsd: SEGV when receiving short aivdm message type 26 Package: gpsd Version: 2.95-7 Severity: important Tags: patch The gps daemon, when connected to public ais source, is crashing every week or so. I traced back the segment violation to a unsigned size being assigned a negative value, leading to a call to memcpy with an insane value. You can reproduce this with a simple: echo '!AIVDM,1,1,,A,J=IJuwOmoTt,2*3F' | gpsdecode SIGSEGV (gdb) bt #0 0xb75e2d5c in memcpy () from /lib/i686/cmov/libc.so.6 #1 0xb66a972b in aivdm_decode (buf=0x868e76c "!AIVDM,1,1,,A,J=IJuwOmoTt,2*3F", buflen=31, ais_contexts=0x86e70f8, ais=0x86e4c38) at driver_aivdm.c:810 ... (gdb) up (gdb) display ais->type 5: ais->type = 26 (gdb) display ais->repeat 6: ais->repeat = 0 (gdb) display ais->mmsi 7: ais->mmsi = 899071485 (gdb) display ais->type 8: ais->type = 26 (gdb) display ais_context->bitlen 9: ais_context->bitlen = 64 (gdb) display ais->type26.addressed 10: ais->type26.addressed = true (gdb) display ais->type26.structured 11: ais->type26.structured = true (gdb) display ais->type26.dest_mmsi 12: ais->type26.dest_mmsi = 1031246784 (gdb) display ais->type26.app_id 13: ais->type26.app_id = 0 (gdb) display ais->type26.bitcount 14: ais->type26.bitcount = 4294967284 (gdb) display (ais->type26.bitcount + 7) / 8 15: (ais->type26.bitcount + 7) / 8 = 536870911 (gdb)display 60 + 16*ais->type26.structured 17: 60 + 16 * ais->type26.structured = 76 Message type 25 is checking bitlen is not too small before assigning bitcount, after testing addressed and structured. Attached is a 2 lines patch that adds such a test for type 26 messages. After patching echo '!AIVDM,1,1,,A,J=IJuwOmoTt,2*3F' | gpsdecode -D 2 yields gpsdecode: AIVDM payload is 64 bits, 8 chars: 68d65af7f7f5de4f gpsdecode: AIVDM message type 26, MMSI 899071485: gpsdecode: AIVDM message type 26 too short for mode. instead of Segment violation -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dashSubject: Fixes SEGV on reception of short aivdm type 26 message Author: Nirgal Vourgère <jmv_...@nirgal.com> Description: gpsd is crashing when receiving some messages such as !AIVDM,1,1,,A,J=IJuwOmoTt,2*3F because unsigned value ais->type26.bitcount is sometimes assigned a negative value. TODO (see http://dep.debian.net/deps/dep3/): Bug-Debian: http://bugs.debian.org/500000 Last-Update: 2010-11-14 Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Index: gpsd-2.95/driver_aivdm.c =================================================================== --- gpsd-2.95.orig/driver_aivdm.c +++ gpsd-2.95/driver_aivdm.c @@ -802,6 +802,10 @@ } ais->type26.addressed = (bool)UBITS(38, 1); ais->type26.structured = (bool)UBITS(39, 1); + if (ais_context->bitlen < 40 + 16*ais->type26.structured + 30*ais->type26.addressed + 20) { + gpsd_report(LOG_WARN, "AIVDM message type 26 too short for mode.\n"); + return false; + } if (ais->type26.addressed) ais->type26.dest_mmsi = UBITS(40, 30); if (ais->type26.structured)
--- End Message ---
--- Begin Message ---Source: gpsd Source-Version: 2.95-8 We believe that the bug you reported is fixed in the latest version of gpsd, which is due to be installed in the Debian FTP archive: gpsd-clients_2.95-8_amd64.deb to main/g/gpsd/gpsd-clients_2.95-8_amd64.deb gpsd-dbg_2.95-8_amd64.deb to main/g/gpsd/gpsd-dbg_2.95-8_amd64.deb gpsd_2.95-8.diff.gz to main/g/gpsd/gpsd_2.95-8.diff.gz gpsd_2.95-8.dsc to main/g/gpsd/gpsd_2.95-8.dsc gpsd_2.95-8_amd64.deb to main/g/gpsd/gpsd_2.95-8_amd64.deb libgps-dev_2.95-8_amd64.deb to main/g/gpsd/libgps-dev_2.95-8_amd64.deb libgps19_2.95-8_amd64.deb to main/g/gpsd/libgps19_2.95-8_amd64.deb libqgpsmm-dev_2.95-8_all.deb to main/g/gpsd/libqgpsmm-dev_2.95-8_all.deb libqgpsmm19_2.95-8_amd64.deb to main/g/gpsd/libqgpsmm19_2.95-8_amd64.deb python-gps_2.95-8_amd64.deb to main/g/gpsd/python-gps_2.95-8_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 603...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernd Zeimetz <b...@debian.org> (supplier of updated gpsd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 16 Nov 2010 20:26:10 +0100 Source: gpsd Binary: gpsd gpsd-dbg gpsd-clients python-gps libgps19 libgps-dev libqgpsmm19 libqgpsmm-dev Architecture: source all amd64 Version: 2.95-8 Distribution: unstable Urgency: low Maintainer: Bernd Zeimetz <b...@debian.org> Changed-By: Bernd Zeimetz <b...@debian.org> Description: gpsd - Global Positioning System - daemon gpsd-clients - Global Positioning System - clients gpsd-dbg - Global Positioning System - debugging symbols libgps-dev - Global Positioning System - development files libgps19 - Global Positioning System - library libqgpsmm-dev - Global Positioning System - QT wrapper for libgps (development) libqgpsmm19 - Global Positioning System - QT wrapper for libgps python-gps - Global Positioning System - Python libraries Closes: 603439 Changes: gpsd (2.95-8) unstable; urgency=low . * [b6aae9a2] Stripping unnecessary options/comments from debian/gbp.conf * [405de6db] Add patch to fix a SEGV when receiving short aivdm message type 26. (Closes: #603439) - thanks to Nirgal Vourgère Checksums-Sha1: 637060f42af79caa5d4922809aa2bfdabc301869 2163 gpsd_2.95-8.dsc 917d47ee482feeb1b8aca95d674c9fc99c78405a 50322 gpsd_2.95-8.diff.gz 9bfa2898b70eb7d767e5fe5b212dd1c7cde45471 20322 libqgpsmm-dev_2.95-8_all.deb 1a779b1b6f5eec287c34f3aaaf0713c32646e3d0 96456 gpsd_2.95-8_amd64.deb 6b09c7fdacf55c0eb534ce5920321901f67a41e4 642274 gpsd-dbg_2.95-8_amd64.deb ee96245431b7b57079acf612149b5519aacb2e3b 127852 gpsd-clients_2.95-8_amd64.deb 80508a0cc36e6b608cfef5f33b477e3a2f245042 115656 python-gps_2.95-8_amd64.deb 0d87d4aad0575dbde6cc3f359a893e261468da70 182164 libgps19_2.95-8_amd64.deb 681035312d3aaadfe5aee774288e62b0d51cd658 101830 libgps-dev_2.95-8_amd64.deb 7c7d192917d5194be67c695bf184f89412bad1c1 67472 libqgpsmm19_2.95-8_amd64.deb Checksums-Sha256: 39247065510ab5e7e9c74db4ac385995e6b2052cf680bcfc8ca40a344c2a2130 2163 gpsd_2.95-8.dsc d4a5409b7712afaeb26d93e441b46f2de97c682482b358bbb73f39587bf7cba1 50322 gpsd_2.95-8.diff.gz a4432eed6817771c27b615e078f0584e0803453d5fc160eef30d9494315447ce 20322 libqgpsmm-dev_2.95-8_all.deb 45c712624b1c326ad9a7527b43f1823cfc1a50ee0c3e8303a9f754470c048f86 96456 gpsd_2.95-8_amd64.deb fd73930c229f7ec2732ed7d3a67747b69b21e4268b73a8c0f08b6ed67939ec73 642274 gpsd-dbg_2.95-8_amd64.deb 6e588bf4f75d9f3b19a2fb17007d04146d9f1d776d5e73db6ed2ccb642a91d09 127852 gpsd-clients_2.95-8_amd64.deb 5a5f5f2f3d77a79af38e46ad700681372249f441d44defbab7e68bb0714c1c30 115656 python-gps_2.95-8_amd64.deb a6afe2368616e9cc053f94fb80e465b928322275ebaaa2db362f5787c936e5c8 182164 libgps19_2.95-8_amd64.deb 9add7b4d2f06f5f13b73e681c9fd67d2d91ac93964f172f958fbdba4a2adf55c 101830 libgps-dev_2.95-8_amd64.deb 7bb3696a553def7d156914e22bb793dbf0fc25bbe999fbbe22754f7f626ecc7c 67472 libqgpsmm19_2.95-8_amd64.deb Files: 10bcb38d20f8d5fb169c5eae0e083579 2163 misc optional gpsd_2.95-8.dsc 743a1b674fa5a837596ebfba2c6fd521 50322 misc optional gpsd_2.95-8.diff.gz 07e0b4c8500afc08f89ccbe1233345d7 20322 libdevel optional libqgpsmm-dev_2.95-8_all.deb 41e702cc0c796551102b9e1607a996ec 96456 misc optional gpsd_2.95-8_amd64.deb 2b85711ee05c4a04d7ce19ac36f6c352 642274 debug extra gpsd-dbg_2.95-8_amd64.deb b85d0d110b799fd7ad71c2c07e2566f9 127852 misc optional gpsd-clients_2.95-8_amd64.deb 5c3e5060c0ce265fcf4435feac4443d0 115656 python optional python-gps_2.95-8_amd64.deb d98898250b11e7d66f30f26e8b3593cb 182164 libs optional libgps19_2.95-8_amd64.deb 0dcfde131f17076b276906211b885c72 101830 libdevel optional libgps-dev_2.95-8_amd64.deb 9bc7fc45594ac2c6b956d561d44cc42f 67472 libs optional libqgpsmm19_2.95-8_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJM4uA8AAoJEOs2Fxpv+UNfn8wP/jGkGT6xhZZ3NpvctUeEkdQU i+BzzfAffGipjWRxwzB/2/xUOcEPzgbQZ1rMy74PsAkerpM3BDL5LEgzySzVBUyG 0sYdJLkZxqbA9fpPvX0A7DYS93nf/FUmMhI8NiIZMM/r4dzhCGJHy2Wce7Cf23pj ijUH9pIyvzaxisGNh8TW8yLIytly8jqIr8FTYicGUMNZut1Vt84+WyYLEuPCxxFY thnSmkReSbsJHXS2kPJdHMZzdnMUKFhPBW4tRkDSgvd9ofgOpix/yVsXW0oGTUhO BOrFuc/R28uMsD85IkKRzPvcbmTGq/RutJBkRLOOK331eXjgTo6jHQz+cKfhb/T1 jLyCQxaq7791vrOuJiNPSli+thVnyYX3+HyB1hntTNEJw0KXTVSHoCj30BWMbDpV I0GBVRk/GfeVc+C/u7ccYxoD4vg9C8E4B2BSgdQ6RTeji4wlWgDxVyMeqFnUXLI5 ks7lwow4ECWv2WpGFtEwIwc3JmFPcdaSZq1aWGSuzEYOAHvctpV/N+C5YZCHbXld zaggt7NfZkMwFwshdTiwmM/P3bAyCLugWfMamEC9hHMRt+qgWNFwpjZLO0HFOiKk I2M0WlymvrOOYc7Lgh1OYMhxCH/Be201kKxfCKLVYKm885j0AtOUE5pWN+hgniJx PClqNM0IiNWDmoGOKKm2 =3z/1 -----END PGP SIGNATURE-----
--- End Message ---
