https://bugzilla.samba.org/show_bug.cgi?id=7869 Summary: rsync segfault Product: rsync Version: 3.0.7 Platform: x64 OS/Version: Linux Status: NEW Severity: minor Priority: P3 Component: core AssignedTo: wayned at samba.org ReportedBy: rafa.silva at gmail.com QAContact: rsync-qa at samba.org Hi, In my analysis (fuzzing) i find a fancy bug in rsync. Linux bengbeng 2.6.32-26-generic #48-Ubuntu SMP Wed Nov 24 10:14:11 UTC 2010 x86_64 GNU/Linux The Bug: $ rsync --backup-dir=`perl -e 'print "A"x22222;'` Segmentation fault $ rsync --backup-dir=`perl -e 'print "1"x22222;'` Segmentation fault Cheers. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #1 from paul at debian.org 2010-12-15 13:16 CST ------- Are you sure that the segmentation violation was in rsync, and not e.g. in the shell used to execute the backticks? Please provide a backtrace of the core dump. I can't reproduce it on my system, I just get the usage message due to incomplete arguments. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #2 from rafa.silva at gmail.com 2010-12-15 13:28 CST ------- Created an attachment (id=6132) --> (https://bugzilla.samba.org/attachment.cgi?id=6132&action=view) core dumped for rsync -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #3 from matt at mattmccutchen.net 2010-12-15 13:32 CST ------- I see what is happening. options.c:1496: backup_dir_remainder = sizeof backup_dir_buf - backup_dir_len; if (backup_dir_remainder < 32) { snprintf(err_buf, sizeof err_buf, "the --backup-dir path is WAY too long.\n"); return 0; } But backup_dir_remainder is unsigned, so the subtraction overflows and the error message does not trip. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #4 from jr-sambabugzilla at quo.to 2010-12-15 14:01 CST ------- There's also potential for a one-off overflow here: } else if (backup_dir_buf[backup_dir_len - 1] != '/') { backup_dir_buf[backup_dir_len++] = '/'; backup_dir_buf[backup_dir_len] = '\0'; } backup_dir_len is incremented, but there is no corresponding decrement of backup_dir_remainder. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #5 from paul at debian.org 2010-12-15 15:14 CST ------- (In reply to comment #3)> I see what is happening. options.c:1496: > > backup_dir_remainder = sizeof backup_dir_buf - backup_dir_len; > if (backup_dir_remainder < 32) { > snprintf(err_buf, sizeof err_buf, > "the --backup-dir path is WAY too long.\n"); > return 0; > } > > But backup_dir_remainder is unsigned, so the subtraction overflows and the > error message does not trip.I would have expected strlcpy() to limit the return value to the bufsize passed as last argument, but at least the lib/compat.c version doesn't, and contradicts the comments there in doing so ("@return index of the terminating byte"). If it had done that, it would have limited the result of the subtraction to >= 0. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 ------- Comment #6 from paul at debian.org 2010-12-15 15:17 CST ------- (In reply to comment #2)> Created an attachment (id=6132)--> (https://bugzilla.samba.org/attachment.cgi?id=6132&action=view) [details]> core dumped for rsyncA coredump from your system is pretty useless for anyone else. That's why I asked for the backtrace from that coredump. However Matt has spotted the problem already. Amusingly 'file core' says: core: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from '111111111111111' Note how apparently argv[0] got overwritten as well. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
https://bugzilla.samba.org/show_bug.cgi?id=7869 wayned at samba.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Comment #7 from wayned at samba.org 2010-12-17 00:34 CST ------- Fix committed to git for both the crashing overflow and the off-by-one issue. -- Configure bugmail: https://bugzilla.samba.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
Seemingly Similar Threads
- wrong transfer of app packages using --backup
- [patch] fix for "refuse options" ignored due to popt
- [PATCH 1/2] virtio_net: fix error handling for mergeable buffers
- [PATCH 1/2] virtio_net: fix error handling for mergeable buffers
- How about a --min-size option, next to --max-size