Bug 22878

Summary: ck-get-x11-display-device crashes on startup
Product: ConsoleKit Reporter: Ray Strode <halfline>
Component: DaemonAssignee: william.jon.mccann
Status: RESOLVED NOTOURBUG QA Contact:
Severity: normal    
Priority: medium CC: kmaraas
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Ray Strode 2009-07-21 13:41:15 UTC 
Kjartan is seeing a nasty crash with ck-get-x11-display-device that busts his session.

   1.
      [kmaraas@nc6400 ~]$ /usr/libexec/ck-get-x11-display-device
   2.
      *** buffer overflow detected ***: /usr/libexec/ck-get-x11-display-device terminated
   3.
      ======= Backtrace: =========
   4.
      /lib/libc.so.6(__fortify_fail+0x4d)[0xad119d]
   5.
      /lib/libc.so.6[0xacf26a]
   6.
      /lib/libc.so.6(__strncpy_chk+0x176)[0xace856]
   7.
      /usr/libexec/ck-get-x11-display-device[0x804a6d0]
   8.
      /usr/libexec/ck-get-x11-display-device[0x804aad5]
   9.
      /usr/libexec/ck-get-x11-display-device[0x8049151]
  10.
      /lib/libc.so.6(__libc_start_main+0xe6)[0x9efb26]
  11.
      /usr/libexec/ck-get-x11-display-device[0x8048fc1]
  12.
      ======= Memory map: ========
  13.
      00101000-0011d000 r-xp 00000000 08:03 385913 /usr/lib/libxcb.so.1.1.0
  14.
      0011d000-0011e000 rw-p 0001c000 08:03 385913 /usr/lib/libxcb.so.1.1.0
  15.
      0035a000-00384000 r-xp 00000000 08:03 311647 /lib/libgcc_s-4.4.0-20090717.so.1
  16.
      00384000-00385000 rw-p 0002a000 08:03 311647 /lib/libgcc_s-4.4.0-20090717.so.1
  17.
      007f9000-007fa000 r-xp 00000000 00:00 0 [vdso]
  18.
      009b5000-009d5000 r-xp 00000000 08:03 318060 /lib/ld-2.10.90.so
  19.
      009d5000-009d6000 r--p 0001f000 08:03 318060 /lib/ld-2.10.90.so
  20.
      009d6000-009d7000 rw-p 00020000 08:03 318060 /lib/ld-2.10.90.so
  21.
      009d9000-00b4e000 r-xp 00000000 08:03 318061 /lib/libc-2.10.90.so
  22.
      00b4e000-00b4f000 ---p 00175000 08:03 318061 /lib/libc-2.10.90.so
  23.
      00b4f000-00b51000 r--p 00175000 08:03 318061 /lib/libc-2.10.90.so
  24.
      00b51000-00b52000 rw-p 00177000 08:03 318061 /lib/libc-2.10.90.so
  25.
      00b52000-00b55000 rw-p 00000000 00:00 0
  26.
      00b83000-00b86000 r-xp 00000000 08:03 318065 /lib/libdl-2.10.90.so
  27.
      00b86000-00b87000 r--p 00002000 08:03 318065 /lib/libdl-2.10.90.so
  28.
      00b87000-00b88000 rw-p 00003000 08:03 318065 /lib/libdl-2.10.90.so
  29.
      00be9000-00cd1000 r-xp 00000000 08:03 320237 /lib/libglib-2.0.so.0.2104.0
  30.
      00cd1000-00cd2000 rw-p 000e8000 08:03 320237 /lib/libglib-2.0.so.0.2104.0
  31.
      00d0d000-00d0f000 r-xp 00000000 08:03 6555524 /usr/lib/libXau.so.6.0.0
  32.
      00d0f000-00d10000 rw-p 00001000 08:03 6555524 /usr/lib/libXau.so.6.0.0
  33.
      06205000-06338000 r-xp 00000000 08:03 385914 /usr/lib/libX11.so.6.2.0
  34.
      06338000-0633b000 rw-p 00133000 08:03 385914 /usr/lib/libX11.so.6.2.0
  35.
      0633b000-0633c000 rw-p 00000000 00:00 0
  36.
      08048000-0804c000 r-xp 00000000 08:03 388002 /usr/libexec/ck-get-x11-display-device
  37.
      0804c000-0804d000 rw-p 00003000 08:03 388002 /usr/libexec/ck-get-x11-display-device
  38.
      08d09000-08d2a000 rw-p 00000000 00:00 0 [heap]
  39.
      b809b000-b809e000 rw-p 00000000 00:00 0
  40.
      b80c4000-b80cb000 r--s 00000000 08:03 52165 /usr/lib/gconv/gconv-modules.cache
  41.
      bfc00000-bfc15000 rw-p 00000000 00:00 0 [stack]
  42.
      Avbrutt (SIGABRT)
Comment 1 Ray Strode 2009-07-21 13:43:30 UTC 
There is only one place in the code that does strncpy:

load_drivers (void)
...

strncpy (tmn->name, p, len);

name is a fixed size 16 byte buffer, p is path pulled from /proc/tty/drivers.
Comment 2 Ray Strode 2009-07-21 14:43:41 UTC 
Kjartan's /proc/tty/drivers is:

[kmaraas@nc6400 ~]$ cat /proc/tty/drivers 
/dev/tty             /dev/tty        5       0 system:/dev/tty
/dev/console         /dev/console    5       1 system:console
/dev/ptmx            /dev/ptmx       5       2 system
/dev/vc/0            /dev/vc/0       4       0 system:vtmaster
serial               /dev/ttyS       4 64-95 serial
pty_slave            /dev/pts      136 0-1048575 pty:slave
pty_master           /dev/ptm      128 0-1048575 pty:master
unknown              /dev/tty        4 1-63 console

Which is the same as mine, so it's not immediately clear to me why it would be triggering an overflow from him and not for me.

Also, not of the filenames in the second column are more than 16 bytes.
Comment 3 Ray Strode 2009-07-22 07:25:44 UTC 
This was actually a transient gcc bug.  See:

http://gcc.gnu.org/ml/gcc-patches/2009-06/msg01130.html

and 

https://bugzilla.redhat.com/show_bug.cgi?id=506099

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.