Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible global-buffer-overflow in man-generator #60

Closed
mrc0mmand opened this issue Nov 27, 2021 · 1 comment
Closed

Possible global-buffer-overflow in man-generator #60

mrc0mmand opened this issue Nov 27, 2021 · 1 comment

Comments

@mrc0mmand
Copy link

Spotted while reproducing #59 (also with the latest main - 819a35c).

$ ASAN_OPTIONS=detect_leaks=0 ./configure CFLAGS="-fsanitize=address -g -O0" --enable-debug
$ ASAN_OPTIONS=detect_leaks=0 make -j8
$ export ASAN_OPTIONS=strict_string_checks=1:detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1
$ tools/man-generator --check 
=================================================================
==2134195==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000447bfb at pc 0x00000040a43d bp 0x7ffd60f1a5c0 sp 0x7ffd60f1a5b8
READ of size 1 at 0x000000447bfb thread T0
    #0 0x40a43c in _copy_line /home/fsumsal/repos/lvm2/tools/man-generator.c:1447
    #1 0x40b45d in define_commands /home/fsumsal/repos/lvm2/tools/man-generator.c:1483
    #2 0x418c3c in main /home/fsumsal/repos/lvm2/tools/man-generator.c:4011
    #3 0x7ff203a8955f in __libc_start_call_main (/lib64/libc.so.6+0x2d55f)
    #4 0x7ff203a8960b in __libc_start_main_alias_1 (/lib64/libc.so.6+0x2d60b)
    #5 0x402394 in _start (/home/fsumsal/repos/lvm2/tools/man-generator+0x402394)

0x000000447bfb is located 37 bytes to the left of global variable '*.LC1371' defined in 'man-generator.c' (0x447c20) of size 6
  '*.LC1371' is ascii string '%c%c
'
0x000000447bfb is located 0 bytes to the right of global variable '_command_input' defined in 'command-lines-input.h:16:12' (0x43c820) of size 46043
  '_command_input' is ascii string 'OO_ALL: --commandprofile String, --config String, --debug,
--driverloaded Bool, --help, --nolocking, --lockopt String, --longhelp, --profile String, --quiet,
--verbose, --version, --yes, --test, --devicesfile String, --devices PV, --nohints --journal String
OO_REPORT: --aligned, --all, --binary, --configreport ConfigReport, --foreign,
--ignorelockingfailure, --logonly,
--nameprefixes, --noheadings, --nosuffix,
--options String, --readonly, --reportformat ReportFmt, --rows,
--select String, --separator String, --shared, --sort String,
--unbuffered, --units Units, --unquoted
OO_CONFIG: --atversion String, --typeconfig ConfigType, --file String, --ignoreadvanced,
--ignoreunsupported, --ignorelocal, --list, --mergedconfig, --metadataprofile String,
--sinceversion String, --showdeprecated, --showunsupported, --validate, --withsummary,
--withcomments, --withgeneralpreamble, --withlocalpreamble, --withspaces, --unconfigured, --withversions
OO_LVCHANGE: --autobackup Bool, --force, --ignoremonitoring,
--noudevsync, --reportformat ReportFmt, --select String
OO_LVCHANGE_META: --addtag Tag, --deltag Tag,
--alloc Alloc, --contiguous Bool,
--compression Bool, --deduplication Bool,
--detachprofile, --metadataprofile String, --profile String,
--permission Permission, --readahead Readahead, --setactivationskip Bool,
--setautoactivation Bool, --errorwhenfull Bool, --discards Discards, --zero Bool,
--cachemode CacheMode, --cachepolicy String, --cachesettings String,
--minrecoveryrate SizeKB, --maxrecoveryrate SizeKB,
--writebehind Number, --writemostly WriteMostlyPV, --persistent n
lvchange OO_LVCHANGE_META VG|LV|Tag|Select ...
OO: --activate Active, --poll Bool, --monitor Bool, OO_LVCHANGE
IO: --ignoreskippedcluster
ID: lvchange_properties
DESC: Change a general LV attribute.
DESC: For options listed in parentheses, any one is
DESC: required, after which the others are optional.
RULE: all not lv_is_pvmove lv_is_mirror_log lv_is_mirror_image
RULE: all and lv_is_vg_writable
RULE: --contiguous not --alloc
RULE: --profile not --detachprofile
RULE: --metadataprofile not --detachprofile
RULE: --minrecoveryrate --maxrecoveryrate and LV_raid
RULE: --writebehind --writemostly and LV_raid1
RULE: --cachemode --cachepolicy --cachesettings and LV_cache LV_cachepool LV_writecache
RULE: --errorwhenfull --discards --zero and LV_thinpool
RULE: --permission not lv_is_external_origin lv_is_raid_metadata lv_is_raid_image LV_thinpool
RULE: --alloc --contiguous --metadataprofile --persistent --profile --readahead not lv_is_thick_origin
RULE: --alloc --discards --zero --cachemode --cachepolicy --cachesettings not lv_is_partial
lvchange --resync VG|LV_raid_mirror|Tag|Select ...
OO: --activate Active, OO_LVCHANGE
IO: --ignoreskippedcluster
ID: lvchange_resync
DESC: Resyncronize a mirror or raid LV.
DESC: Use to reset 'R' attribute on a not initially synchronized LV.
RULE: all not lv_is_pvmove lv_is_locked lv_is_raid_with_integrity
RULE: all not LV_raid0
lvchange --syncaction SyncAction VG|LV_raid|Tag|Select ...
OO: OO_LVCHANGE
IO: --ignoreskippedcluster
ID: lvchange_syncaction
DESC: Resynchronize or check a raid LV.
RULE: all not LV_raid0
lvchange --rebuild PV VG|LV_raid|Tag|Select ...
OO: OO_LVCHANGE
IO: --ignoreskippedcluster
ID: lvchange_rebuild
DESC: Reconstruct data on specific PVs of a raid LV.
RULE: all not LV_raid0
lvchange --activate Active VG|LV|Tag|Select ...
OO: --activationmode ActivationMode, --partial, --poll Bool, --monitor Bool,
--ignoreactivationskip, --ignorelockingfailure, --sysinit, --readonly, OO_LVCHANGE
IO: --ignoreskippedcluster
ID: lvchange_activate
DESC: Activate or deactivate an LV.
lvchange --refresh VG|LV|Tag|Select ...
OO: --activationmode ActivationMode, --partial, --poll Bool, --monitor Bool, OO_LVCHANGE
IO: --ignoreskippedcluster
ID: lvchange_refresh
DESC: Reactivate an LV using the latest metadata.
lvchange --monitor Bool VG|LV|TSUMMARY: AddressSanitizer: global-buffer-overflow /home/fsumsal/repos/lvm2/tools/man-generator.c:1447 in _copy_line
Shadow bytes around the buggy address:
  0x000080080f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080080f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080080f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080080f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080080f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080080f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[03]
  0x000080080f80: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080080f90: 00 00 00 00 06 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9
  0x000080080fa0: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080080fb0: 00 00 02 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
  0x000080080fc0: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2134195==ABORTING
@zkabelac
Copy link
Contributor

zkabelac commented Feb 7, 2022

Addressed by upstream commit:

https://listman.redhat.com/archives/lvm-devel/2022-February/msg00011.html

@zkabelac zkabelac closed this as completed Feb 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrc0mmand @zkabelac