Bug 45205 - intel_bios_reader Segmentation fault
Summary: intel_bios_reader Segmentation fault
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Driver/intel (show other bugs)
Version: unspecified
Hardware: All Linux (All)
: medium minor
Assignee: Chris Wilson
QA Contact: Xorg Project Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-24 22:55 UTC by Bryce Harrington
Modified: 2012-01-25 02:17 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Bryce Harrington 2012-01-24 22:55:04 UTC 
Forwarding this bug report from Launchpad reporter Emanuel Bronshtein:
https://bugs.launchpad.net/ubuntu/+source/intel-gpu-tools/+bug/783716

(This is kind of a corner case and perhaps not worth fixing, but someone apparently ran into it, so forwarding it here for consideration.)

[Problem]
/usr/bin/intel_bios_reader crash when get the intel_bios_reader binary as parameter .

[test case]
emanuel@emanuel-desktop:/tmp$ md5sum /usr/bin/intel_bios_reader
7277594a2b9588909844115afd36e5ee /usr/bin/intel_bios_reader
emanuel@emanuel-desktop:/tmp$ intel_bios_reader /usr/bin/intel_bios_reader
VBT vers: 295.45
Segmentation fault

under GDB :
Program received signal SIGSEGV, Segmentation fault.
*__GI_strncpy (s1=0xbffff3ea "\377\277)\241\004\b$#*",
    s2=0xd8540589 <Address 0xd8540589 out of bounds>, n=16) at strncpy.c:42
42 strncpy.c: No such file or directory.
 in strncpy.c

the call to strncpy :
 strncpy(signature, (char *)bdb->signature, 16);

after compiling from source code and running under GDB :
(gdb) p bdb->signature
Cannot access memory at address 0xd8540589



Still affects current git head.
(gdb) run ./tools/intel_bios_reader
Starting program: /home/bryce/src/intel-gpu-tools-1.1/tools/intel_bios_reader ./tools/intel_bios_reader
VBT vers: 295.45

Program received signal SIGSEGV, Segmentation fault.
0x001ab21c in strncpy () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt full
#0 0x001ab21c in strncpy () from /lib/i386-linux-gnu/libc.so.6
No symbol table info available.
#1 0x0804ab16 in main (argc=2, argv=0xbffff274) at intel_bios_reader.c:903
        fd = 7
        vbt = 0xb7ff6f84
        vbt_off = 16260
        bdb_off = 1981846470
        i = 16260
        filename = 0xbffff40d "./tools/intel_bios_reader"
        finfo = {st_dev = 2049, __pad1 = 0, st_ino = 5382091, st_mode = 33277, st_nlink = 1,
          st_uid = 1000, st_gid = 1000, st_rdev = 0, __pad2 = 0, st_size = 41780, st_blksize = 4096,
          st_blocks = 88, st_atim = {tv_sec = 1327433593, tv_nsec = 136981917}, st_mtim = {
            tv_sec = 1327426685, tv_nsec = 802744723}, st_ctim = {tv_sec = 1327426685,
            tv_nsec = 802744723}, __unused4 = 0, __unused5 = 0}
        block = 0x0
        signature = "\000$\303*\000\364\277*\000U<\026\000i\254\004\b"
        devid_string = 0x0

The code has a check to look for a VBT signature; presumably the intel_bios_reader executable has this signature included in it?
Comment 1 Chris Wilson 2012-01-25 02:17:29 UTC 
commit 1ffe6b0ee8decc02edb48ab197a869e1d7783a2b
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Wed Jan 25 10:11:49 2012 +0000

    intel_bios_reader: Sanitize input to ensure all data blocks are within bound
    
    Running intel_bios_reader upon itself causes the reader to crash and
    burn. It obviously finds a VBT signature inside the binary, but then
    does not rigorously check that all data blocks are valid before
    dereferencing them.
    
    Reported-by: Emanuel Bronshtein
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=45205
    Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.