Debian Bug report logs - #423167
uml_switch: corrupted unix socket path-string

version graph

Package: uml-utilities; Maintainer for uml-utilities is User Mode Linux Maintainers <pkg-uml-pkgs@lists.alioth.debian.org>; Source for uml-utilities is src:uml-utilities.

Reported by: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>

Date: Thu, 10 May 2007 09:57:01 UTC

Severity: normal

Found in version uml-utilities/20060323-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, User Mode Linux Developers <pkg-uml-pkgs@lists.alioth.debian.org>:
Bug#423167; Package uml-utilities. Full text and rfc822 format available.

Acknowledgement sent to Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>:
New Bug report received and forwarded. Copy sent to User Mode Linux Developers <pkg-uml-pkgs@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at bugs@bugs.debian.org (full text, mbox):

From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
To: bugs@bugs.debian.org
Subject: uml_switch: corrupted unix socket path-string
Date: Thu, 10 May 2007 11:54:00 +0200 (CEST)
Package: uml-utilities
Version: 20060323-3
Severity: normal

Found this in /proc/net/unix:

Num       RefCount Protocol Flags    Type St Inode Path
f47bfa80: 00000002 00000000 00000000 0002 01  9427 @<junk>

where <junk> is shown in the hex-dump below:

00000000: 6634 3762 6661 3830 3A20 3030 3030 3030  f47bfa80: 000000
00000010: 3032 2030 3030 3030 3030 3020 3030 3030  02 00000000 0000
00000020: 3030 3030 2030 3030 3220 3031 2020 3934  0000 0002 01  94
00000030: 3237 2040 0000 00F9 0E00 00C7 8F07 0000  27 @............
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 000A  ................

I see this as a sign of buffer corruption.

ls on /proc/3833/fd/ shows:
lrwx------ 1 uml-net uml-net 64 2007-05-10 09:39 0 -> /dev/null
lrwx------ 1 uml-net uml-net 64 2007-05-10 09:39 1 -> /dev/null
lrwx------ 1 uml-net uml-net 64 2007-05-10 09:39 2 -> /dev/null
lrwx------ 1 uml-net uml-net 64 2007-05-10 09:39 3 -> socket:[9426]
lrwx------ 1 uml-net uml-net 64 2007-05-10 09:39 4 -> socket:[9427]

lsof -U shows:
COMMAND     PID       USER   FD   TYPE     DEVICE SIZE      NODE NAME
uml_switc  3833    uml-net    4u  unix 0xf47bfa80           9427 socket

and netstat:
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ]         DGRAM                    9427     @

I suppose they manage that because they read /proc/net/unix linewise.
Older busybox netstat versions (like debian distributed 1:1.1.3-4)
manage that too because they also read /proc/net/unix linewise.

# /bin/busybox netstat -x
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ]         DGRAM                    9427   @

But newer busybox (v1.6.0.svn) netstat changed to read /proc/net/unix
one character at a time using fgets in xmalloc_fgets_str from
libbb/fgets_str.c. In this case, the path string corruption confuses
function unix_do_one in networking/netstat.c which outputs a whole
bunch of "warning, got bogus unix line" error messages.

'/etc/init.d/uml-utilities restart' doesn't change things to the better.

00000000: 6434 6335 3237 3830 3A20 3030 3030 3030  d4c52780: 000000
00000010: 3032 2030 3030 3030 3030 3020 3030 3030  02 00000000 0000
00000020: 3030 3030 2030 3030 3220 3031 2035 3731  0000 0002 01 571
00000030: 3935 3939 3634 2040 0000 0067 4F00 0090  959964 @...gO...
00000040: 9302 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000A0: 0000 000A                                ....

Path-string size varies, otherwise pretty consistent behaviour.


Cheers,
Cristian

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable'), (99, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US, LC_CTYPE= (charmap=ISO-8859-1)

Versions of packages uml-utilities depends on:
ii  adduser                     3.102        Add and remove users and groups
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libncurses5                 5.5-5        Shared libraries for terminal hand
ii  libreadline5                5.2-2        GNU readline and history libraries
ii  makedev                     2.3.1-83     creates device files in /dev

uml-utilities recommends no packages.

-- no debconf information



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:01:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.