[ofa-general] osmtest dies with SIGABRT / buffer overflow
Matthias Blankenhaus
matthias at sgi.com
Mon Aug 25 16:18:03 PDT 2008
Howdy !
I played around with osmtest and got it to a point where I can consistenly
crash osmtest. Please, take a look at the following:
OFED-1.3.1
HW: X86_64
OS: SLES10SP2
Here is what I did to crash it:
# osmtest -f c // works fine and creates osmtest.dat
# osmtest -v // crashes ...
STACK TRACE
===========
Aug 22 17:33:35 076768 [6FCE12E0] 0x04 -> osmt_get_service_by_name:
Expected and found 0 records
Aug 22 17:33:35 076781 [6FCE12E0] 0x04 -> osmt_get_service_by_id: Getting
service record: id: 0x0000000019494496
Aug 22 17:33:35 076795 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 076925 [6FCE12E0] 0x04 -> osmt_get_service_by_id: Found
service record: name: osmt.srvc.719885380.6244 id: 0x0000000019494496
Aug 22 17:33:35 076939 [6FCE12E0] 0x04 -> osmt_get_service_by_id: Expected
and found 1 records
Aug 22 17:33:35 076951 [6FCE12E0] 0x04 -> osmt_get_service_by_id: Getting
service record: id: 0x00007fff3b7751d0
Aug 22 17:33:35 076964 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 077052 [41001940] 0x01 -> __osmv_sa_mad_rcv_cb: ERR 5501:
Remote error:0x0003
Aug 22 17:33:35 077064 [41001940] 0x01 -> osmtest_query_res_cb: ERR 0003:
Error on query (IB_REMOTE_ERROR)
Aug 22 17:33:35 077089 [6FCE12E0] 0x01 -> osmt_get_service_by_id: IS
EXPECTED ERROR ^^^^
Aug 22 17:33:35 077100 [6FCE12E0] 0x04 -> osmt_get_service_by_id: Found
service record: name: id: 0x00007fff3b7751d0
Aug 22 17:33:35 077107 [6FCE12E0] 0x04 -> osmt_get_service_by_id: Expected
and found 0 records
Aug 22 17:33:35 077117 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Getting service record: id: 0x000000006b8b2d03 and name:
osmt.srvc.1804289383.6244
Aug 22 17:33:35 077132 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 077235 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Found service record: name: osmt.srvc.1804289383.6244 id:
0x000000006b8b2d03
Aug 22 17:33:35 077248 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Expected and found 1 records
Aug 22 17:33:35 077261 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Getting service record: id: 0x0000000019494496 and name:
osmt.srvc.719885380.6244
Aug 22 17:33:35 077274 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 077368 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Found service record: name: osmt.srvc.719885380.6244 id:
0x0000000019494496
Aug 22 17:33:35 077379 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Expected and found 1 records
Aug 22 17:33:35 077391 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Getting service record: id: 0x000000006b8b2d03 and name:
osmt.srvc.1714636912.6244
Aug 22 17:33:35 077404 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 077495 [41001940] 0x01 -> __osmv_sa_mad_rcv_cb: ERR 5501:
Remote error:0x0003
Aug 22 17:33:35 077507 [41001940] 0x01 -> osmtest_query_res_cb: ERR 0003:
Error on query (IB_REMOTE_ERROR)
Aug 22 17:33:35 077528 [6FCE12E0] 0x01 -> osmt_get_service_by_id_and_name:
IS EXPECTED ERROR ^^^^
Aug 22 17:33:35 077536 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Found service record: name: osmt.srvc.1714636912.6244 id:
0x000000006b8b2d03
Aug 22 17:33:35 077541 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Expected and found 0 records
Aug 22 17:33:35 077555 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Getting service record: id: 0x000000006633300c and name:
osmt.srvc.424238330.6244
Aug 22 17:33:35 077569 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 077655 [41001940] 0x01 -> __osmv_sa_mad_rcv_cb: ERR 5501:
Remote error:0x0003
Aug 22 17:33:35 077664 [41001940] 0x01 -> osmtest_query_res_cb: ERR 0003:
Error on query (IB_REMOTE_ERROR)
Aug 22 17:33:35 077682 [6FCE12E0] 0x01 -> osmt_get_service_by_id_and_name:
IS EXPECTED ERROR ^^^^
Aug 22 17:33:35 077689 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Found service record: name: osmt.srvc.424238330.6244 id:
0x000000006633300c
Aug 22 17:33:35 077694 [6FCE12E0] 0x04 -> osmt_get_service_by_id_and_name:
Expected and found 0 records
Aug 22 17:33:35 077705 [6FCE12E0] 0x04 -> osmt_get_service_by_name:
Getting service record: name: osmt.srvc.1957747789.6244
Aug 22 17:33:35 077717 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 077810 [41001940] 0x01 -> __osmv_sa_mad_rcv_cb: ERR 5501:
Remote error:0x0003
Aug 22 17:33:35 077819 [41001940] 0x01 -> osmtest_query_res_cb: ERR 0003:
Error on query (IB_REMOTE_ERROR)
Aug 22 17:33:35 077831 [6FCE12E0] 0x01 -> osmt_get_service_by_name: IS
EXPECTED ERROR ^^^^
Aug 22 17:33:35 077839 [6FCE12E0] 0x04 -> osmt_get_service_by_name: Found
service record: name: osmt.srvc.1957747789.6244 id: 0x0900000000000000
Aug 22 17:33:35 077846 [6FCE12E0] 0x04 -> osmt_get_service_by_name:
Expected and found 0 records
Aug 22 17:33:35 077857 [6FCE12E0] 0x04 -> osmt_get_service_by_name:
Getting service record: name: osmt.srvc.424238330.6244
Aug 22 17:33:35 077869 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 077958 [41001940] 0x01 -> __osmv_sa_mad_rcv_cb: ERR 5501:
Remote error:0x0003
Aug 22 17:33:35 077970 [41001940] 0x01 -> osmtest_query_res_cb: ERR 0003:
Error on query (IB_REMOTE_ERROR)
Aug 22 17:33:35 077983 [6FCE12E0] 0x01 -> osmt_get_service_by_name: IS
EXPECTED ERROR ^^^^
Aug 22 17:33:35 077992 [6FCE12E0] 0x04 -> osmt_get_service_by_name: Found
service record: name: osmt.srvc.424238330.6244 id: 0x0900000000000000
Aug 22 17:33:35 077997 [6FCE12E0] 0x04 -> osmt_get_service_by_name:
Expected and found 0 records
Aug 22 17:33:35 078007 [6FCE12E0] 0x04 -> osmt_get_service_by_name:
Getting service record: name: osmt.srvc.719885380.6244
Aug 22 17:33:35 078020 [6FCE12E0] 0x04 -> osm_vendor_send: RMPP 0 length
256
Aug 22 17:33:35 078120 [6FCE12E0] 0x04 -> osmt_get_service_by_name: Found
service record: name: osmt.srvc.719885380.6244 id: 0x0000000019494496
Aug 22 17:33:35 078132 [6FCE12E0] 0x04 -> osmt_get_service_by_name:
Expected and found 1 records
*** buffer overflow detected ***: /usr/sbin/osmtest terminated
Aug 22 17:33:35 079046 [41001940] 0x01 -> umad_receiver: ERR 5404: recv
error on MAD sized umad (Interrupted system call)
Aug 22 17:33:35 080420 [41001940] 0x01 -> umad_receiver: ERR 5404: recv
error on MAD sized umad (Interrupted system call)
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x2b366fb7231f]
/lib64/libc.so.6[0x2b366fb71859]
/lib64/libc.so.6(_IO_default_xsputn+0x8e)[0x2b366fb09d0e]
/lib64/libc.so.6(_IO_padn+0x9b)[0x2b366fafe60b]
/lib64/libc.so.6(_IO_vfprintf+0x1467)[0x2b366fae2157]
/lib64/libc.so.6(__vsprintf_chk+0x9d)[0x2b366fb718fd]
/lib64/libc.so.6(__sprintf_chk+0x80)[0x2b366fb71840]
/usr/sbin/osmtest[0x40fa51]
/usr/sbin/osmtest[0x4110e4]
/usr/sbin/osmtest[0x40cf13]
/usr/sbin/osmtest[0x402821]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x2b366fabd184]
/usr/sbin/osmtest[0x401d79]
======= Memory map: ========
00400000-00428000 r-xp 00000000 08:06 668362
/usr/sbin/osmtest
00528000-00529000 rw-p 00028000 08:06 668362
/usr/sbin/osmtest
00529000-005f0000 rw-p 00529000 00:00 0
[heap]
40000000-40001000 ---p 40000000 00:00 0
40001000-40801000 rw-p 40001000 00:00 0
40801000-40802000 ---p 40801000 00:00 0
40802000-41002000 rw-p 40802000 00:00 0
2aaaaaade000-2aaaaaaeb000 r-xp 00000000 08:06 536874380
/lib64/libgcc_s.so.1
2aaaaaaeb000-2aaaaabea000 ---p 0000d000 08:06 536874380
/lib64/libgcc_s.so.1
2aaaaabea000-2aaaaabeb000 rw-p 0000c000 08:06 536874380
/lib64/libgcc_s.so.1
2b366f330000-2b366f34b000 r-xp 00000000 08:06 536874326
/lib64/ld-2.4.so
2b366f34b000-2b366f34d000 rw-p 2b366f34b000 00:00 0
2b366f44a000-2b366f44c000 rw-p 0001a000 08:06 536874326
/lib64/ld-2.4.so
2b366f44c000-2b366f44f000 r-xp 00000000 08:06 612666
/usr/lib64/libibcommon.so.1.0.0
2b366f44f000-2b366f54e000 ---p 00003000 08:06 612666
/usr/lib64/libibcommon.so.1.0.0
2b366f54e000-2b366f54f000 rw-p 00002000 08:06 612666
/usr/lib64/libibcommon.so.1.0.0
2b366f54f000-2b366f55e000 r-xp 00000000 08:06 642309
/usr/lib64/libopensm.so.1.1.0
2b366f55e000-2b366f65e000 ---p 0000f000 08:06 642309
/usr/lib64/libopensm.so.1.1.0
2b366f65e000-2b366f660000 rw-p 0000f000 08:06 642309
/usr/lib64/libopensm.so.1.1.0
2b366f660000-2b366f66c000 r-xp 00000000 08:06 642311
/usr/lib64/libosmcomp.so.2.0.4
2b366f66c000-2b366f76c000 ---p 0000c000 08:06 642311
/usr/lib64/libosmcomp.so.2.0.4
2b366f76c000-2b366f76d000 rw-p 0000c000 08:06 642311
/usr/lib64/libosmcomp.so.2.0.4
2b366f76d000-2b366f774000 r-xp 00000000 08:06 642312
/usr/lib64/libosmvendor.so.2.0.0
2b366f774000-2b366f874000 ---p 00007000 08:06 642312
/usr/lib64/libosmvendor.so.2.0.0
2b366f874000-2b366f875000 rw-p 00007000 08:06 642312
/usr/lib64/libosmvendor.so.2.0.0
2b366f875000-2b366f876000 rw-p 2b366f875000 00:00 0
2b366f876000-2b366f87b000 r-xp 00000000 08:06 613219
/usr/lib64/libibumad.so.1.0.3
2b366f87b000-2b366f97a000 ---p 00005000 08:06 613219
/usr/lib64/libibumad.so.1.0.3
2b366f97a000-2b366f97b000 rw-p 00004000 08:06 613219
/usr/lib64/libibumad.so.1.0.3
2b366f97b000-2b366f97c000 rw-p 2b366f97b000 00:00 0
2b366f987000-2b366f99b000 r-xp 00000000 08:06 536874401
/lib64/libpthread-2.4.so
2b366f99b000-2b366fa9a000 ---p 00014000 08:06 536874401
/lib64/libpthread-2.4.so
2b366fa9a000-2b366fa9c000 rw-p 00013000 08:06 536874401
/lib64/libpthread-2.4.so
2b366fa9c000-2b366faa0000 rw-p 2b366fa9c000 00:00 0
2b366faa0000-2b366fbd6000 r-xp 00000000 08:06 536874368
/lib64/libc-2.4.so
2b366fbd6000-2b366fcd6000 ---p 00136000 08:06 536874368
/lib64/libc-2.4.so
2b366fcd6000-2b366fcd9000 r--p 00136000 08:06 536874368
/lib64/libc-2.4.so
2b366fcd9000-2b366fcdb000 rw-p 00139000 08:06 536874368
/lib64/libc-2.4.so
2b366fcdb000-2b366fce2000 rw-p 2b366fcdb000 00:00 0
7fff3b765000-7fff3b77a000 rw-p 7fff3b765000 00:00 0
[stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0
[vdso]
Program received signal SIGABRT, Aborted.
[Switching to Thread 47512804004576 (LWP 6244)]
0x00002b366facfbb5 in raise () from /lib64/libc.so.6
(gdb) where
#0 0x00002b366facfbb5 in raise () from /lib64/libc.so.6
#1 0x00002b366fad0fb0 in abort () from /lib64/libc.so.6
#2 0x00002b366fb0632b in __libc_message () from /lib64/libc.so.6
#3 0x00002b366fb7231f in __chk_fail () from /lib64/libc.so.6
#4 0x00002b366fb71859 in _IO_str_chk_overflow () from /lib64/libc.so.6
#5 0x00002b366fb09d0e in _IO_default_xsputn_internal () from
/lib64/libc.so.6
#6 0x00002b366fafe60b in _IO_padn_internal () from /lib64/libc.so.6
#7 0x00002b366fae2157 in vfprintf () from /lib64/libc.so.6
#8 0x00002b366fb718fd in __vsprintf_chk () from /lib64/libc.so.6
#9 0x00002b366fb71840 in __sprintf_chk () from /lib64/libc.so.6
#10 0x000000000040fa51 in osmt_get_service_by_name_and_key
(p_osmt=0x528680,
sr_name=0x7fff3b774f40 "osmt.srvc.424238330.6244", rec_num=0,
skey=0x7fff3b7751a0 "", p_out_rec=0x7fff3b775080)
at osmt_service.c:755
#11 0x00000000004110e4 in osmt_run_service_records_flow (p_osmt=0x528680)
at osmt_service.c:1571
#12 0x000000000040cf13 in osmtest_run (p_osmt=0x1864) at osmtest.c:7877
#13 0x0000000000402821 in main (argc=<value optimized out>,
argv=0x7fff3b778a38) at main.c:615
Further investigation show:
(gdb) where
#0 0x00002b366facfbb5 in raise () from /lib64/libc.so.6
#1 0x00002b366fad0fb0 in abort () from /lib64/libc.so.6
#2 0x00002b366fb0632b in __libc_message () from /lib64/libc.so.6
#3 0x00002b366fb7231f in __chk_fail () from /lib64/libc.so.6
#4 0x00002b366fb71859 in _IO_str_chk_overflow () from /lib64/libc.so.6
#5 0x00002b366fb09d0e in _IO_default_xsputn_internal () from /lib64/libc.so.6
#6 0x00002b366fafe60b in _IO_padn_internal () from /lib64/libc.so.6
#7 0x00002b366fae2157 in vfprintf () from /lib64/libc.so.6
#8 0x00002b366fb718fd in __vsprintf_chk () from /lib64/libc.so.6
#9 0x00002b366fb71840 in __sprintf_chk () from /lib64/libc.so.6
#10 0x000000000040fa51 in osmt_get_service_by_name_and_key (p_osmt=0x528680,
sr_name=0x7fff3b774f40 "osmt.srvc.424238330.6244", rec_num=0, skey=0x7fff3b7751a0 "", p_out_rec=0x7fff3b775080)
at osmt_service.c:755
#11 0x00000000004110e4 in osmt_run_service_records_flow (p_osmt=0x528680) at osmt_service.c:1571
#12 0x000000000040cf13 in osmtest_run (p_osmt=0x1864) at osmtest.c:7877
#13 0x0000000000402821 in main (argc=<value optimized out>, argv=0x7fff3b778a38) at main.c:615 (gdb) up
#1 0x00002b366fad0fb0 in abort () from /lib64/libc.so.6(gdb) up
#2 0x00002b366fb0632b in __libc_message () from /lib64/libc.so.6(gdb) up
#3 0x00002b366fb7231f in __chk_fail () from /lib64/libc.so.6(gdb) up
#4 0x00002b366fb71859 in _IO_str_chk_overflow () from /lib64/libc.so.6(gdb) up
#5 0x00002b366fb09d0e in _IO_default_xsputn_internal () from /lib64/libc.so.6(gdb) up
#6 0x00002b366fafe60b in _IO_padn_internal () from /lib64/libc.so.6(gdb) up
#7 0x00002b366fae2157 in vfprintf () from /lib64/libc.so.6(gdb) up
#8 0x00002b366fb718fd in __vsprintf_chk () from /lib64/libc.so.6(gdb) up
#9 0x00002b366fb71840 in __sprintf_chk () from /lib64/libc.so.6(gdb) up
#10 0x000000000040fa51 in osmt_get_service_by_name_and_key (p_osmt=0x528680,
sr_name=0x7fff3b774f40 "osmt.srvc.424238330.6244", rec_num=0,
skey=0x7fff3b7751a0 "", p_out_rec=0x7fff3b775080)
at osmt_service.c:755
Finally, looking at the code it looks like we have a buffer length
problem:
ofed/opensm/opensm-3.1.10.sgi/osmtest/osmt_service.c:
736 osmt_get_service_by_name_and_key(IN osmtest_t * const p_osmt,
737 IN char *sr_name,
738 IN uint32_t rec_num,
739 IN uint8_t * skey,
740 OUT ib_service_record_t * p_out_rec)
741 {
742
743 ib_api_status_t status = IB_SUCCESS;
744 osmtest_req_context_t context;
745 osmv_query_req_t req;
746 ib_service_record_t svc_rec, *p_rec;
747 uint32_t num_recs = 0, i;
748 osmv_user_query_t user;
749
750 OSM_LOG_ENTER(&p_osmt->log, osmt_get_service_by_name_and_key);
751
752 if (osm_log_is_active(&p_osmt->log, OSM_LOG_VERBOSE)) {
753 char buf_service_key[33];
754
755 sprintf(buf_service_key,
756 "0x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
757 skey[0], skey[1], skey[2], skey[3], skey[4], skey[5],
758 skey[6], skey[7], skey[8], skey[9], skey[10], skey[11],
759 skey[12], skey[13], skey[14], skey[15]);
...
The local variable 'buf_service_key' is 33 bytes long: 0..32. However,
the format string from sprintf() is 2*16+2=34 bytes long. Thus we arrive
at a buffer overflow. Not knowing much about this code the fix seems
obvious: crank up the size of buf_service_key to 34.
Cheers,
Matthias
More information about the general
mailing list