BusyBox Bug and Patch Tracking
BusyBox
Main | My View | View Issues | Change Log | Docs
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0002344 [BusyBox] Security crash always 02-25-08 10:15 02-27-08 12:25
Reporter hawq View Status public  
Assigned To BusyBox
Priority normal Resolution no change required  
Status closed   Product Version
Summary 0002344: fdisk from busybox 1.9.0 and 1.9.1 = segmentation fault
Description fdisk from busybox 1.9.0 and 1.9.1 causes segmentation fault when run:

busybox-1.9.1 $ ./busybox fdisk
Segmentation fault

gdb says:

Program received signal SIGSEGV, Segmentation fault.
0x080952f5 in fdisk_main (argc=1, argv=0xbfb8ebf8) at util-linux/fdisk.c:2776
2776 INIT_G();
(gdb) bt
0 0x080952f5 in fdisk_main (argc=1, argv=0xbfb8ebf8) at util-linux/fdisk.c:2776
0000001 0x0804edf8 in run_applet_no_and_exit (applet_no=-1078400008, argv=0xbfb8ebf8) at libbb/appletlib.c:649
2 0x0804ee1e in run_applet_and_exit (name=0xbfb8ed41 "fdisk", argv=0xbfb8ebf8) at libbb/appletlib.c:656
0000003 0x080d4d7d in applet_install_loc ()
0000004 0xbfb8ed41 in ?? ()
0000005 0x0804ed67 in busybox_main (argv=0x44) at libbb/appletlib.c:629
0000006 0x080d53ef in bb_path_wtmp_file ()
0000007 0xbfb8ebf4 in ?? ()
0000008 0x0804ee35 in run_applet_and_exit (name=0xffffffff <Address 0xffffffff out of bounds>, argv=0xbfb8ed35) at libbb/appletlib.c:658
0000009 0x0804ee87 in main (argc=-1078400012, argv=0xbfb8ebf4) at libbb/appletlib.c:684

Busybox was compiled on system with:

glibc 2.3.6
gcc 3.3.6
uClibc 0.9.28

Same version with same config compiled on other system works ok. Here are versions from other system:

glibc 2.7
gcc 4.2.3
uClibc 0.9.29
Additional Information
Attached Files  busybox.config [^] (20,272 bytes) 02-26-08 00:32

- Relationships

- Notes
(0005314)
vda
02-25-08 15:33

 Works for me:

# ./busybox fdisk
BusyBox v1.9.1 (2008-02-15 15:10:21 CET) multi-call binary

Usage: fdisk [-luv] [-C CYLINDERS] [-H HEADS] [-S SECTORS] [-b SSZ] DISK

Change partition table

Options:
        -l List partition table(s)
        -u Give Start and End in sector (instead of cylinder) units
        -s PARTITION Give partition size(s) in blocks
        -b 2048 (for certain MO disks) use 2048-byte sectors
        -C CYLINDERS Set the number of cylinders
        -H HEADS Set the number of heads
        -S SECTORS Set the number of sectors
        -v Give fdisk version

Can you attach your .config to the bug?
 
(0005344)
hawq
02-26-08 00:34

 I've uploaded my config. I think its because older gcc or glibc I've used to compile. Unfortunatelly, I can't use newer glibc/gcc there.
 
(0005354)
vda
02-26-08 03:52

 You need to debug it further.

You have CONFIG_FEATURE_FDISK_WRITABLE=y. Therefore this part of code is active in fdisk_main():


#if ENABLE_FEATURE_FDISK_WRITABLE
        if (argc != 1)
                bb_show_usage();

Since usage message is not printed, this code is not reached. SEGV is before it - and this narrows things a lot.

Got ot fdisk_main and instrument it as follows:

int fdisk_main(...)
{
...
        enum {
                OPT_b = 1 << 0,
...
        };
+bb_error_msg("HERE A");
        INIT_G();
+bb_error_msg("HERE B");

        opt = getopt32(argv, "b:C:H:lS:u" USE_FEATURE_FDISK_BLKSIZE("s"),
                                &str_b, &str_C, &str_H, &str_S);
        argc -= optind;
        argv += optind;
+bb_error_msg("HERE C");
        if (opt & OPT_b) { // -b
        }
        if (opt & OPT_C) user_cylinders = xatoi_u(str_C); // -C
+bb_error_msg("HERE D");
        if (opt & OPT_H) { // -H
...
#if ENABLE_FEATURE_FDISK_WRITABLE
+bb_error_msg("HERE Z");
        if (argc != 1)
                bb_show_usage();

rebuild and run. Where will it die?
 
(0005424)
hawq
02-26-08 11:52

 busybox-1.9.1 $ ./busybox fdisk
fdisk: HERE A
Segmentation fault

It dies on INIT_G(). Exactly like gdb said.
 
(0005444)
vda
02-27-08 10:46

 Try this fix:


 #define INIT_G() do { \
        PTR_TO_GLOBALS = xzalloc(sizeof(G)); \
+ asm volatile("":::"memory"); \
        sector_size = DEFAULT_SECTOR_SIZE; \

If it works, let me know gcc version and architecture you build for (basically, gcc -v output).
 
(0005454)
hawq
02-27-08 12:15

 It worked. Thanks.

busybox-1.9.1 $ gcc -v
Reading specs from /usr/lib/gcc-lib/i686-pld-linux/3.3.6/specs
Configured with: ../configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --infodir=/usr/share/info --mandir=/usr/share/man --enable-shared --enable-symvers=gnu --enable-threads=posix --enable-__cxa_atexit --enable-languages=c,c++,f77,objc,ada,java,ksi --enable-c99 --enable-long-long --disable-multilib --enable-nls --with-gnu-as --with-gnu-ld --with-system-zlib --with-slibdir=/lib --without-x i686-pld-linux
Thread model: posix
gcc version 3.3.6 (PLD Linux)
 
(0005464)
bernhardf
02-27-08 12:25

 broken toolchain.
 

- Issue History
Date Modified Username Field Change
02-25-08 10:15 hawq New Issue
02-25-08 10:15 hawq Status new => assigned
02-25-08 10:15 hawq Assigned To  => BusyBox
02-25-08 15:33 vda Note Added: 0005314
02-26-08 00:32 hawq File Added: busybox.config
02-26-08 00:34 hawq Note Added: 0005344
02-26-08 03:52 vda Note Added: 0005354
02-26-08 11:52 hawq Note Added: 0005424
02-27-08 10:46 vda Note Added: 0005444
02-27-08 12:15 hawq Note Added: 0005454
02-27-08 12:25 bernhardf Status assigned => closed
02-27-08 12:25 bernhardf Note Added: 0005464
02-27-08 12:25 bernhardf Resolution open => no change required

Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker