Howto resolv addresses in *** buffer overflow detected *** Backtrace after the fact

12-11-2007, 09:15 PM

On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
> Hi,
>
> I just received a bug report with a backtrace generated by glibc attached:
> https://bugzilla.redhat.com/attachment.cgi?id=284591
>
> Looks like a real bug however the reported desn't know exactly what he did
> to trigger this, so now I want to convert the backtrace glibc generated
> into one with filenames and line numbers for the addresses of the xfig
> stack frames.
>
> Can anyone tell me how to do this?

The following seems to work....

# yum --enablerepo=development-debuginfo install xfig-debuginfo

# gdb /usr/bin/xfig-plain

(gdb) list *0x4a3909
0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
29
30 #ifdef __va_arg_pack
31 __extern_always_inline int
32 __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
33 {
34 return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
35 __bos (__s), __fmt, __va_arg_pack ());
36 }
37 #elif !defined __cplusplus
38 # define sprintf(str, ...)

So the code is a sprintf call from the reset_topruler method.

Looking at that method, we can see an likely candidate:

(gdb) list reset_topruler
1160 /* Note: For reset_top/sideruler to work properly, the value of skip should be
1161 * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
1162 */
1163
1164 void reset_topruler(void)
1165 {
1166 register int i,k;
1167 register tick_info* tk;
1168 register Pixmap p = topruler_pm;
1169 char number[6];
(gdb) list +
1170 int X0,len;
1171 int tickmod, tickskip;
1172
1173 /* top ruler, adjustments for digits are kludges based on 6x13 char */
1174 XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
1175
1176 /* set the number of pixels to skip between labels and precision for float */
1177 get_skip_prec();
1178
1179 X0 = BACKX(0);
(gdb) list +
1180 X0 -= (X0 % skip);
1181 tickmod = (int) round(ruler_unit/appres.userscale);
1182 if (tickmod == 0)
1183 tickmod = 1;
1184
1185 /* see how big a label is to adjust spacing, if necessary */
1186 sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
1187 len = XTextWidth(roman_font, number, strlen(number));
1188 while (skipx < (len + 5)/zoomscale) {
1189 skip *= 2;

Line 1186 is printing a string into a fixed length buffer with no
checking. A clear buffer overflow candidate there if the combo of
the ruler size & the figure units are longer than 5 characters :-(

Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

12-11-2007, 09:17 PM

On Tue, 2007-12-11 at 21:15 +0000, Daniel P. Berrange wrote:
> On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
> > Hi,
> >
> > I just received a bug report with a backtrace generated by glibc attached:
> > https://bugzilla.redhat.com/attachment.cgi?id=284591
> >
> > Looks like a real bug however the reported desn't know exactly what he did
> > to trigger this, so now I want to convert the backtrace glibc generated
> > into one with filenames and line numbers for the addresses of the xfig
> > stack frames.
> >
> > Can anyone tell me how to do this?
>
> The following seems to work....
>
> # yum --enablerepo=development-debuginfo install xfig-debuginfo
>
if you have yum-utils installed you can run:

debuginfo-install xfig

just a useless tidbit.

-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

12-12-2007, 12:47 AM

On Tue, 2007-12-11 at 16:17 -0500, seth vidal wrote:
<snip>
> if you have yum-utils installed you can run:
>
> debuginfo-install xfig

Do you have a page full of stuff like that somewhere? Something
installing all the deps from a .spec or a specific source file would be
grand.

/Bastien who uses yum like he did apt-get many moons ago

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

12-12-2007, 02:50 AM

On Wed, 2007-12-12 at 00:47 +0000, Bastien Nocera wrote:

> Something
> installing all the deps from a .spec or a specific source file would be
> grand.

yum-builddep does that, also in yum-utils.

--
James Antill <james.antill@redhat.com>
Red Hat
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

12-12-2007, 03:58 AM

On Tue, 2007-12-11 at 21:50 -0500, James Antill wrote:
> On Wed, 2007-12-12 at 00:47 +0000, Bastien Nocera wrote:
>
> > Something
> > installing all the deps from a .spec or a specific source file would be
> > grand.
>
> yum-builddep does that, also in yum-utils.
>

make sure you get 1.1.9 out of updates-testing b/c yum-builddep in 1.1.8
didn't work so well, or, you know, at all.

-sv

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

12-12-2007, 07:39 PM

Daniel P. Berrange wrote:

On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:

Hi,

I just received a bug report with a backtrace generated by glibc attached:
https://bugzilla.redhat.com/attachment.cgi?id=284591

Looks like a real bug however the reported desn't know exactly what he did
to trigger this, so now I want to convert the backtrace glibc generated
into one with filenames and line numbers for the addresses of the xfig
stack frames.

Can anyone tell me how to do this?

The following seems to work....

# yum --enablerepo=development-debuginfo install xfig-debuginfo

# gdb /usr/bin/xfig-plain

(gdb) list *0x4a3909
0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
29
30 #ifdef __va_arg_pack
31 __extern_always_inline int
32 __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
33 {
34 return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
35 __bos (__s), __fmt, __va_arg_pack ());
36 }
37 #elif !defined __cplusplus
38 # define sprintf(str, ...)

So the code is a sprintf call from the reset_topruler method.

Looking at that method, we can see an likely candidate:

(gdb) list reset_topruler
1160 /* Note: For reset_top/sideruler to work properly, the value of skip should be

1161 * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
1162 */
1163
1164 void reset_topruler(void)
1165 {
1166 register int i,k;
1167 register tick_info* tk;
1168 register Pixmap p = topruler_pm;
1169 char number[6];
(gdb) list +
1170 int X0,len;
1171 int tickmod, tickskip;
1172
1173 /* top ruler, adjustments for digits are kludges based on 6x13 char */
1174 XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
1175
1176 /* set the number of pixels to skip between labels and precision for float */
1177 get_skip_prec();
1178
1179 X0 = BACKX(0);
(gdb) list +
1180 X0 -= (X0 % skip);
1181 tickmod = (int) round(ruler_unit/appres.userscale);
1182 if (tickmod == 0)
1183 tickmod = 1;
1184
1185 /* see how big a label is to adjust spacing, if necessary */
1186 sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
1187 len = XTextWidth(roman_font, number, strlen(number));
1188 while (skipx < (len + 5)/zoomscale) {
1189 skip *= 2;

Line 1186 is printing a string into a fixed length buffer with no
checking. A clear buffer overflow candidate there if the combo of
the ruler size & the figure units are longer than 5 characters :-(

Regards,
Dan.

Many thanks!

A fixed version is building now

Regards,

Hans

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list