Files · e3101c8eab99527f662d0a20180d03d74163ad08 · zhul / criu

Libo Chen authored Apr 29, 2013

break running./crtools check :

*** buffer overflow detected ***: ./crtools terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fdaacb3e82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fdaacb3d700]
./crtools[0x423d00]
./crtools[0x41d021]
./crtools[0x41d259]
./crtools[0x41e4b6]
./crtools[0x418f03]
./crtools[0x404988]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fdaaca5576d]
./crtools[0x404ad9]
======= Memory map: ========
00400000-00463000 r-xp 00000000 08:01 189158                             /home/clb/crtools/crtools
00662000-00663000 r--p 00062000 08:01 189158                             /home/clb/crtools/crtools
00663000-00671000 rw-p 00063000 08:01 189158                             /home/clb/crtools/crtools
00671000-00677000 rw-p 00000000 00:00 0
01801000-01822000 rw-p 00000000 00:00 0                                  [heap]
7fdaac81e000-7fdaac833000 r-xp 00000000 08:01 410533                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaac833000-7fdaaca32000 ---p 00015000 08:01 410533                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaaca32000-7fdaaca33000 r--p 00014000 08:01 410533                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaaca33000-7fdaaca34000 rw-p 00015000 08:01 410533                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7fdaaca34000-7fdaacbe9000 r-xp 00000000 08:01 393459                     /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacbe9000-7fdaacde8000 ---p 001b5000 08:01 393459                     /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacde8000-7fdaacdec000 r--p 001b4000 08:01 393459                     /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacdec000-7fdaacdee000 rw-p 001b8000 08:01 393459                     /lib/x86_64-linux-gnu/libc-2.15.so
7fdaacdee000-7fdaacdf3000 rw-p 00000000 00:00 0
7fdaacdf3000-7fdaace03000 r-xp 00000000 08:01 937695                     /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaace03000-7fdaad002000 ---p 00010000 08:01 937695                     /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaad002000-7fdaad003000 r--p 0000f000 08:01 937695                     /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaad003000-7fdaad004000 rw-p 00010000 08:01 937695                     /usr/local/lib/libprotobuf-c.so.0.0.0
7fdaad004000-7fdaad01c000 r-xp 00000000 08:01 393528                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad01c000-7fdaad21b000 ---p 00018000 08:01 393528                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad21b000-7fdaad21c000 r--p 00017000 08:01 393528                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad21c000-7fdaad21d000 rw-p 00018000 08:01 393528                     /lib/x86_64-linux-gnu/libpthread-2.15.so
7fdaad21d000-7fdaad221000 rw-p 00000000 00:00 0
7fdaad221000-7fdaad243000 r-xp 00000000 08:01 393441                     /lib/x86_64-linux-gnu/ld-2.15.so
7fdaad437000-7fdaad43b000 rw-p 00000000 00:00 0
7fdaad440000-7fdaad443000 rw-p 00000000 00:00 0
7fdaad443000-7fdaad444000 r--p 00022000 08:01 393441                     /lib/x86_64-linux-gnu/ld-2.15.so
7fdaad444000-7fdaad446000 rw-p 00023000 08:01 393441                     /lib/x86_64-linux-gnu/ld-2.15.so
7fff9eb3c000-7fff9eb5d000 rw-p 00000000 00:00 0                          [stack]
7fff9ebcf000-7fff9ebd1000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

I find this overflow by the phase: memcpy(sd->groups, groups, sd->gsize);
The reason is sd->gsize = 8 Byte, but sd->groups = xmalloc(sizeof(sd->gsize))  is exact 4 Byte.
Signed-off-by: Libo Chen <libo.chen@huawei.com>
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Acked-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

e3101c8e

Name	Last commit	Last update
Documentation		Loading commit data...
arch		Loading commit data...
include		Loading commit data...
pie		Loading commit data...
protobuf		Loading commit data...
scripts		Loading commit data...
test		Loading commit data...
.gitignore		Loading commit data...
.mailmap		Loading commit data...
COPYING		Loading commit data...
CREDITS		Loading commit data...
Makefile		Loading commit data...
Makefile.crtools		Loading commit data...
Makefile.inc		Loading commit data...
README		Loading commit data...
cr-check.c		Loading commit data...
cr-dump.c		Loading commit data...
cr-exec.c		Loading commit data...
cr-restore.c		Loading commit data...
cr-show.c		Loading commit data...
crtools.c		Loading commit data...
eventfd.c		Loading commit data...
eventpoll.c		Loading commit data...
fifo.c		Loading commit data...
file-ids.c		Loading commit data...
file-lock.c		Loading commit data...
files-reg.c		Loading commit data...
files.c		Loading commit data...
fsnotify.c		Loading commit data...
image.c		Loading commit data...
ipc_ns.c		Loading commit data...
kcmp-ids.c		Loading commit data...
kerndat.c		Loading commit data...
libnetlink.c		Loading commit data...
log.c		Loading commit data...
mem.c		Loading commit data...
mount.c		Loading commit data...
namespaces.c		Loading commit data...
net.c		Loading commit data...
netfilter.c		Loading commit data...
page-pipe.c		Loading commit data...
page-read.c		Loading commit data...
page-xfer.c		Loading commit data...
parasite-syscall.c		Loading commit data...
pipes.c		Loading commit data...
proc_parse.c		Loading commit data...
protobuf.c		Loading commit data...
pstree.c		Loading commit data...
ptrace.c		Loading commit data...
rbtree.c		Loading commit data...
shmem.c		Loading commit data...
signalfd.c		Loading commit data...
sk-inet.c		Loading commit data...
sk-netlink.c		Loading commit data...
sk-packet.c		Loading commit data...
sk-queue.c		Loading commit data...
sk-tcp.c		Loading commit data...
sk-unix.c		Loading commit data...
sockets.c		Loading commit data...
sysctl.c		Loading commit data...
tty.c		Loading commit data...
util.c		Loading commit data...
uts_ns.c		Loading commit data...

README