[Pkg-sysvinit-devel] Bug#368793: sysvinit: Overflow caused by
strcpy()
Paul Seelig
pseelig at debian.org
Thu May 25 15:26:11 UTC 2006
Hi Petter!
On Thu, May 25, 2006 at 04:39:55PM +0200, Petter Reinholdtsen wrote:
> Sure. Use 'apt-get install valgrind' to install it, and then
> 'valgrind last' to run last within valgrind.
>
See the acompanying valgrind_official_sysvinit_2.86.ds1-14.1_i386.log
> Even better would be to use a version of the last binary with debug
> information, but that require a rebuild of the package and I will not
> try to guide you through that. :)
>
I did a quick 'apt-get source sysvinit', grepped and commented all strip
commands in debian/rules, and removed debian/patches/30_strip.dpatch
together with it's entry in the accompanying debian/patches/00list. But the
result is still a stripped last binary and i didn't want to investigate any
further. The file valgrind_selfbuilt_sysvinit_2.86.ds1-14.1_i386.log
contains the results running valgrind with the selfbuilt package.
The compiler used for building the package was "gcc version 4.0.4 20060507
(prerelease) (Debian 4.0.3-3)", according to gcc -v.
Thanks, P. *8^)
-------------- next part --------------
Script started on Thu May 25 17:05:35 2006
[pseelig]~ > valgrind -v last��������[3Plast
==10238== Memcheck, a memory error detector.
==10238== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==10238== Using LibVEX rev 1575, a library for dynamic binary translation.
==10238== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==10238== Using valgrind-3.1.1-Debian, a dynamic binary instrumentation framework.
==10238== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==10238== For more details, rerun with: -v
==10238==
--10238-- DWARF2 CFI reader: unhandled CFI instruction 0:50
--10238-- DWARF2 CFI reader: unhandled CFI instruction 0:50
==10238== Conditional jump or move depends on uninitialised value(s)
==10238== at 0x8049CFD: (within /usr/bin/last)
==10238== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
==10238==
==10238== Conditional jump or move depends on uninitialised value(s)
==10238== at 0x8049CFF: (within /usr/bin/last)
==10238== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
root pts/5 localhost Wed May 24 12:11 still logged in
[ login data edited ]
reboot system boot 2.6.16 Mon May 1 21:58 - 17:40 (2+19:41)
wtmp begins Mon May 1 21:48:10 2006
==10238==
==10238== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 12 from 1)
==10238== malloc/free: in use at exit: 784 bytes in 2 blocks.
==10238== malloc/free: 161 allocs, 159 frees, 61,921 bytes allocated.
==10238== For counts of detected errors, rerun with: -v
==10238== searching for pointers to 2 not-freed blocks.
==10238== checked 74,528 bytes.
==10238==
==10238== LEAK SUMMARY:
==10238== definitely lost: 0 bytes in 0 blocks.
==10238== possibly lost: 0 bytes in 0 blocks.
==10238== still reachable: 784 bytes in 2 blocks.
==10238== suppressed: 0 bytes in 0 blocks.
==10238== Reachable blocks (those to which a pointer was found) are not shown.
==10238== To see them, rerun with: --show-reachable=yes
[pseelig]~ > valgrind last�����[3 at -v last
==10239== Memcheck, a memory error detector.
==10239== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==10239== Using LibVEX rev 1575, a library for dynamic binary translation.
==10239== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==10239== Using valgrind-3.1.1-Debian, a dynamic binary instrumentation framework.
==10239== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==10239==
--10239-- Command line
--10239-- last
--10239-- Startup, with flags:
--10239-- --suppressions=/usr/lib/valgrind/debian-libc6-dbg.supp
--10239-- -v
--10239-- Contents of /proc/version:
--10239-- Linux version 2.6.16 (root at thinkpad) (gcc version 3.4.6 (Debian 3.4.6-1)) #1 PREEMPT Mon Apr 24 14:59:49 CEST 2006
--10239-- Arch and subarch: X86, x86-sse1
--10239-- Valgrind library directory: /usr/lib/valgrind
--10239-- Reading syms from /lib/ld-2.3.6.so (0x4000000)
--10239-- Reading debug info from /lib/ld-2.3.6.so...
--10239-- ... CRC mismatch (computed 25F76946 wanted 91CB981C)
--10239-- object doesn't have a symbol table
--10239-- Reading syms from /usr/bin/last (0x8048000)
--10239-- object doesn't have a symbol table
--10239-- Reading syms from /usr/lib/valgrind/x86-linux/memcheck (0xA000000)
--10239-- object doesn't have a dynamic symbol table
--10239-- Reading suppressions file: /usr/lib/valgrind/debian-libc6-dbg.supp
--10239-- Reading suppressions file: /usr/lib/valgrind/default.supp
--10239-- Reading syms from /usr/lib/valgrind/x86-linux/vgpreload_core.so (0x4018000)
--10239-- Reading syms from /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so (0x401A000)
--10239-- Reading syms from /lib/tls/libc-2.3.6.so (0x4033000)
--10239-- Reading debug info from /lib/tls/libc-2.3.6.so...
--10239-- ... CRC mismatch (computed 28A37A47 wanted A0EF6854)
--10239-- object doesn't have a symbol table
--10239-- DWARF2 CFI reader: unhandled CFI instruction 0:50
--10239-- DWARF2 CFI reader: unhandled CFI instruction 0:50
--10239-- REDIR: 0x40A1600 (rindex) redirected to 0x401CE90 (rindex)
--10239-- REDIR: 0x40A11D0 (strlen) redirected to 0x401D0B0 (strlen)
--10239-- REDIR: 0x40A2230 (memset) redirected to 0x401D440 (memset)
--10239-- REDIR: 0x40A2710 (memcpy) redirected to 0x401D540 (memcpy)
--10239-- REDIR: 0x409BD80 (malloc) redirected to 0x401B3A0 (malloc)
==10239== Conditional jump or move depends on uninitialised value(s)
==10239== at 0x8049CFD: (within /usr/bin/last)
==10239== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
==10239==
==10239== Conditional jump or move depends on uninitialised value(s)
==10239== at 0x8049CFF: (within /usr/bin/last)
==10239== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
--10239-- REDIR: 0x40A1330 (strncat) redirected to 0x401DA00 (strncat)
--10239-- REDIR: 0x4099FB0 (free) redirected to 0x401BFC6 (free)
--10239-- REDIR: 0x40A0C90 (strcpy) redirected to 0x401D790 (strcpy)
--10239-- REDIR: 0x40A0C00 (strcmp) redirected to 0x401D1A0 (strcmp)
--10239-- REDIR: 0x40A1280 (strnlen) redirected to 0x401D070 (strnlen)
root pts/5 localhost Wed May 24 12:11 still logged in
--10239-- REDIR: 0x40A1400 (strncmp) redirected to 0x401D110 (strncmp)
pseelig :0 Wed May 24 12:11 gone - no logout
[ login data edited ]
reboot system boot 2.6.16 Mon May 1 21:58 - 17:40 (2+19:41)
wtmp begins Mon May 1 21:48:10 2006
==10239==
==10239== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 12 from 1)
==10239==
==10239== 1 errors in context 1 of 2:
==10239== Conditional jump or move depends on uninitialised value(s)
==10239== at 0x8049CFF: (within /usr/bin/last)
==10239== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
==10239==
==10239== 1 errors in context 2 of 2:
==10239== Conditional jump or move depends on uninitialised value(s)
==10239== at 0x8049CFD: (within /usr/bin/last)
==10239== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
--10239--
--10239-- supp: 12 Debian libc6 stripped dynamic linker
==10239==
==10239== IN SUMMARY: 2 errors from 2 contexts (suppressed: 12 from 1)
==10239==
==10239== malloc/free: in use at exit: 784 bytes in 2 blocks.
==10239== malloc/free: 161 allocs, 159 frees, 61,921 bytes allocated.
==10239==
==10239== searching for pointers to 2 not-freed blocks.
==10239== checked 74,528 bytes.
==10239==
==10239== LEAK SUMMARY:
==10239== definitely lost: 0 bytes in 0 blocks.
==10239== possibly lost: 0 bytes in 0 blocks.
==10239== still reachable: 784 bytes in 2 blocks.
==10239== suppressed: 0 bytes in 0 blocks.
==10239== Reachable blocks (those to which a pointer was found) are not shown.
==10239== To see them, rerun with: --show-reachable=yes
--10239-- memcheck: sanity checks: 7 cheap, 1 expensive
--10239-- memcheck: auxmaps: 0 auxmap entries (0k, 0M) in use
--10239-- memcheck: auxmaps: 0 searches, 0 comparisons
--10239-- memcheck: secondaries: 9 issued (576k, 0M)
--10239-- memcheck: secondaries: 19 accessible and distinguished (1216k, 1M)
--10239-- tt/tc: 6,059 tt lookups requiring 6,170 probes
--10239-- tt/tc: 6,059 fast-cache updates, 2 flushes
--10239-- translate: new 2,757 (58,672 -> 924,106; ratio 157:10) [0 scs]
--10239-- translate: dumped 0 (0 -> ??)
--10239-- translate: discarded 0 (0 -> ??)
--10239-- scheduler: 371,118 jumps (bb entries).
--10239-- scheduler: 7/3,801 major/minor sched events.
--10239-- sanity: 8 cheap, 1 expensive checks.
--10239-- exectx: 30,011 lists, 22 contexts (avg 0 per list)
--10239-- exectx: 334 searches, 312 full compares (934 per 1000)
--10239-- exectx: 0 cmp2, 47 cmp4, 0 cmpAll
[pseelig]~ > Use "exit" to leave the shell.
[pseelig]~ > exit
Script done on Thu May 25 17:05:46 2006
-------------- next part --------------
Script started on Thu May 25 16:53:15 2006
[pseelig]~ > valgrind last
==7152== Memcheck, a memory error detector.
==7152== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==7152== Using LibVEX rev 1575, a library for dynamic binary translation.
==7152== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==7152== Using valgrind-3.1.1-Debian, a dynamic binary instrumentation framework.
==7152== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==7152== For more details, rerun with: -v
==7152==
--7152-- DWARF2 CFI reader: unhandled CFI instruction 0:50
--7152-- DWARF2 CFI reader: unhandled CFI instruction 0:50
==7152== Conditional jump or move depends on uninitialised value(s)
==7152== at 0x8049CFD: (within /usr/bin/last)
==7152== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
==7152==
==7152== Conditional jump or move depends on uninitialised value(s)
==7152== at 0x8049CFF: (within /usr/bin/last)
==7152== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
root pts/5 localhost Wed May 24 12:11 still logged in
[ login data edited ]
reboot system boot 2.6.16 Mon May 1 21:58 - 17:40 (2+19:41)
wtmp begins Mon May 1 21:48:10 2006
==7152==
==7152== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 12 from 1)
==7152== malloc/free: in use at exit: 784 bytes in 2 blocks.
==7152== malloc/free: 161 allocs, 159 frees, 61,921 bytes allocated.
==7152== For counts of detected errors, rerun with: -v
==7152== searching for pointers to 2 not-freed blocks.
==7152== checked 74,512 bytes.
==7152==
==7152== LEAK SUMMARY:
==7152== definitely lost: 0 bytes in 0 blocks.
==7152== possibly lost: 0 bytes in 0 blocks.
==7152== still reachable: 784 bytes in 2 blocks.
==7152== suppressed: 0 bytes in 0 blocks.
==7152== Reachable blocks (those to which a pointer was found) are not shown.
==7152== To see them, rerun with: --show-reachable=yes
[pseelig]~ > valgrind last�����[1 at -�[1 at v�[1@
==7153== Memcheck, a memory error detector.
==7153== Copyright (C) 2002-2005, and GNU GPL'd, by Julian Seward et al.
==7153== Using LibVEX rev 1575, a library for dynamic binary translation.
==7153== Copyright (C) 2004-2005, and GNU GPL'd, by OpenWorks LLP.
==7153== Using valgrind-3.1.1-Debian, a dynamic binary instrumentation framework.
==7153== Copyright (C) 2000-2005, and GNU GPL'd, by Julian Seward et al.
==7153==
--7153-- Command line
--7153-- last
--7153-- Startup, with flags:
--7153-- --suppressions=/usr/lib/valgrind/debian-libc6-dbg.supp
--7153-- -v
--7153-- Contents of /proc/version:
--7153-- Linux version 2.6.16 (root at thinkpad) (gcc version 3.4.6 (Debian 3.4.6-1)) #1 PREEMPT Mon Apr 24 14:59:49 CEST 2006
--7153-- Arch and subarch: X86, x86-sse1
--7153-- Valgrind library directory: /usr/lib/valgrind
--7153-- Reading syms from /lib/ld-2.3.6.so (0x4000000)
--7153-- Reading debug info from /lib/ld-2.3.6.so...
--7153-- ... CRC mismatch (computed 25F76946 wanted 91CB981C)
--7153-- object doesn't have a symbol table
--7153-- Reading syms from /usr/bin/last (0x8048000)
--7153-- object doesn't have a symbol table
--7153-- Reading syms from /usr/lib/valgrind/x86-linux/memcheck (0xA000000)
--7153-- object doesn't have a dynamic symbol table
--7153-- Reading suppressions file: /usr/lib/valgrind/debian-libc6-dbg.supp
--7153-- Reading suppressions file: /usr/lib/valgrind/default.supp
--7153-- Reading syms from /usr/lib/valgrind/x86-linux/vgpreload_core.so (0x4018000)
--7153-- Reading syms from /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so (0x401A000)
--7153-- Reading syms from /lib/tls/libc-2.3.6.so (0x4033000)
--7153-- Reading debug info from /lib/tls/libc-2.3.6.so...
--7153-- ... CRC mismatch (computed 28A37A47 wanted A0EF6854)
--7153-- object doesn't have a symbol table
--7153-- DWARF2 CFI reader: unhandled CFI instruction 0:50
--7153-- DWARF2 CFI reader: unhandled CFI instruction 0:50
--7153-- REDIR: 0x40A1600 (rindex) redirected to 0x401CE90 (rindex)
--7153-- REDIR: 0x40A11D0 (strlen) redirected to 0x401D0B0 (strlen)
--7153-- REDIR: 0x40A2230 (memset) redirected to 0x401D440 (memset)
--7153-- REDIR: 0x40A2710 (memcpy) redirected to 0x401D540 (memcpy)
--7153-- REDIR: 0x409BD80 (malloc) redirected to 0x401B3A0 (malloc)
==7153== Conditional jump or move depends on uninitialised value(s)
==7153== at 0x8049CFD: (within /usr/bin/last)
==7153== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
==7153==
==7153== Conditional jump or move depends on uninitialised value(s)
==7153== at 0x8049CFF: (within /usr/bin/last)
==7153== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
--7153-- REDIR: 0x40A1330 (strncat) redirected to 0x401DA00 (strncat)
--7153-- REDIR: 0x4099FB0 (free) redirected to 0x401BFC6 (free)
--7153-- REDIR: 0x40A0C90 (strcpy) redirected to 0x401D790 (strcpy)
--7153-- REDIR: 0x40A0C00 (strcmp) redirected to 0x401D1A0 (strcmp)
--7153-- REDIR: 0x40A1280 (strnlen) redirected to 0x401D070 (strnlen)
root pts/5 localhost Wed May 24 12:11 still logged in
--7153-- REDIR: 0x40A1400 (strncmp) redirected to 0x401D110 (strncmp)
pseelig :0 Wed May 24 12:11 gone - no logout
[ login data edited ]
reboot system boot 2.6.16 Mon May 1 21:58 - 17:40 (2+19:41)
wtmp begins Mon May 1 21:48:10 2006
==7153==
==7153== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 12 from 1)
==7153==
==7153== 1 errors in context 1 of 2:
==7153== Conditional jump or move depends on uninitialised value(s)
==7153== at 0x8049CFF: (within /usr/bin/last)
==7153== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
==7153==
==7153== 1 errors in context 2 of 2:
==7153== Conditional jump or move depends on uninitialised value(s)
==7153== at 0x8049CFD: (within /usr/bin/last)
==7153== by 0x4047EAF: (below main) (in /lib/tls/libc-2.3.6.so)
--7153--
--7153-- supp: 12 Debian libc6 stripped dynamic linker
==7153==
==7153== IN SUMMARY: 2 errors from 2 contexts (suppressed: 12 from 1)
==7153==
==7153== malloc/free: in use at exit: 784 bytes in 2 blocks.
==7153== malloc/free: 161 allocs, 159 frees, 61,921 bytes allocated.
==7153==
==7153== searching for pointers to 2 not-freed blocks.
==7153== checked 74,512 bytes.
==7153==
==7153== LEAK SUMMARY:
==7153== definitely lost: 0 bytes in 0 blocks.
==7153== possibly lost: 0 bytes in 0 blocks.
==7153== still reachable: 784 bytes in 2 blocks.
==7153== suppressed: 0 bytes in 0 blocks.
==7153== Reachable blocks (those to which a pointer was found) are not shown.
==7153== To see them, rerun with: --show-reachable=yes
--7153-- memcheck: sanity checks: 7 cheap, 1 expensive
--7153-- memcheck: auxmaps: 0 auxmap entries (0k, 0M) in use
--7153-- memcheck: auxmaps: 0 searches, 0 comparisons
--7153-- memcheck: secondaries: 9 issued (576k, 0M)
--7153-- memcheck: secondaries: 19 accessible and distinguished (1216k, 1M)
--7153-- tt/tc: 6,059 tt lookups requiring 6,170 probes
--7153-- tt/tc: 6,059 fast-cache updates, 2 flushes
--7153-- translate: new 2,757 (58,672 -> 924,106; ratio 157:10) [0 scs]
--7153-- translate: dumped 0 (0 -> ??)
--7153-- translate: discarded 0 (0 -> ??)
--7153-- scheduler: 370,922 jumps (bb entries).
--7153-- scheduler: 7/3,801 major/minor sched events.
--7153-- sanity: 8 cheap, 1 expensive checks.
--7153-- exectx: 30,011 lists, 22 contexts (avg 0 per list)
--7153-- exectx: 334 searches, 312 full compares (934 per 1000)
--7153-- exectx: 0 cmp2, 47 cmp4, 0 cmpAll
[pseelig]~ > Use "exit" to leave the shell.
[pseelig]~ > exit
Script done on Thu May 25 16:53:51 2006
More information about the Pkg-sysvinit-devel
mailing list