| |
Home • About Us • A-Z Index • Search * Contact Us • Register • Login • Press • ShopThe Open Brand -- Problem Reporting and Interpretations System |
|
Problem Report 2251 Details
Show help | Quick Search | Submit a Test Suite Support Request | Click here to view your privileges
This page provides all information on Problem Report 2251.
Report 2251 Actions
Problem Report Number 2251 Submitter's Classification Test Suite problem State Resolved Resolution Rejected (REJ) Problem Resolution ID REJ.X.0629 Raised 2003-05-03 00:42 Updated 2003-05-07 19:37 Published 2003-05-07 19:37 Product Standard Internationalised System Calls and Libraries Extended V2 (UNIX 98) Certification Program The Open Brand certification program Test Suite VSX4 version 4.5.3 Test Identification POSIX.os/dataform/cpio/T.cpio 2 Specification System Interfaces and Headers Issue 5 Problem Summary read() in cpio #2 overflows buffer Problem Text A trace of the assertion shows:
1591 19569: waitid(P_PID, 19579, 0x08047778, WEXITED|WTRAPPED) = 0
1592 19569: alarm(0) = 25
1593 19569: sigaction(SIGALRM, 0x080477C0, 0x00000000) = 0
1594 19569: xstat(2, "cpio-file.a", 0x08047A00) = 0
1595 19569: open("cpio-file.a", O_RDONLY) = 5
1596 19569: fstat64(5, 0x080479D8) = 0
1597 19569: read(5, " 0 7 0 7 0 1 0 0 0 0 8 5".., 76) = 76
1598 19569: read(5, " 0 6 0 0 0 0 0 0 0 0 0 0".., 512) = 512
1599 19569: read(5, "\0\0\0\0\0\0\0\0\0\0\0\0".., 262148) = 7604
1600 19569: Incurred fault #6, FLTBOUNDS %pc = 0x08071CA1
1601 19569: siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
1602 19569: Received signal #11, SIGSEGV [caught]
1603 19569: siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000
1604 19569: sigprocmask(SIG_SETMASK, 0x08047720, 0x00000000) = 0
1605 19569: sigprocmask(SIG_SETMASK, 0xDDBA1A00, 0x080474A8) = 0
In tset/POSIX.os/dataform/cpio/cpio1.c we can see the third read (data)
uses a length of 262148 (from the trace above) and even though the read
properly returns 7604 bytes, the buf is defined as 512 bytes and so
overruns the buffer.
From cpiotest.h:
#define CBLKSIZ 512
From cpio4.c:
private char buf[CBLKSIZ];
And the test code:
chk_t2(fd, name)
int fd; /* File descriptor of cpio format
file */
char *name; /* Expected file name in the record
*/
{
int err;
int len;
int ret;
int pathok = 0;
/*
* Check that cpio format record contains header, "c_name" and
* "c_filedata".
* Note that none of these 3 parts are validated.
*/
DBUG_ENTER("chk_t2");
globok = 0;
/* Read cpio format header */
if(read_head(fd) == SYSERROR)
{
DBUG_RETURN(SYSERROR);
}
else
PATH_TRACE;
/* Read the name field */
len = aoctol(hdr.c_namesize, CNAMSIZLEN);
if(read_name(fd, blk, len) == SYSERROR)
{
DBUG_RETURN(SYSERROR);
}
else
PATH_TRACE;
/* Read the data */
len = aoctol(hdr.c_filesize, CFILSIZLEN);
if((ret = read(fd, blk, (unsigned)len)) == SYSERROR)
{
err = errno;
if(!test_fail++)
xx_rpt(DELETION);
in_rpt("file %s: read() of cpio format file contents
failed - errno %d", name, err);
DBUG_RETURN(SYSERROR);
}
else
PATH_TRACE;
if(ret < len)
...
}Test Output
************************************************************************
/tset/POSIX.os/dataform/cpio/T.cpio 2 Failed
Test Description:
Each entry in the cpio archive format contains data in the
following
order:
c_magic 6 bytes
c_dev 6 bytes
c_ino 6 bytes
c_mode 6 bytes
c_uid 6 bytes
c_gid 6 bytes
c_nlink 6 bytes
c_rdev 6 bytes
c_mtime 11 bytes
c_namesize 6 bytes
c_filesize 11 bytes
c_name c_namesize
c_filedata c_filesize
Posix Ref: Component CPIO Assertion 10.1.2-01(A)
Test Strategy:
CREATE regular file using crfile() - (genlib)
WRITE data to regular file using write()
CREATE link file using crfile() - (genlib)
WRITE data to link file using write()
CREATE a link to link file using link()
FOR regular file, link file and link to link file:
VERIFY that file exists using chk_file()
CREATE cpio archive and open() with O_RDONLY using open_cpio()
with
regular file, link file and link to link file
FOR regular file, link file and link to link file:
READ cpio archive header using read() to obtain namesize and
filesize
READ cpio archive using read() to obtain name
VERIFY that name has the expected size using aoctol()
READ cpio archive using read() to obtain filedata
VERIFY that filedata has the expected size using aoctol()
CLOSE cpio archive with unlink() and close() using close_cpio()
Test Information:
file cpio-reg: unable to read file contents in cpio format
archive
read() returned 7604; expected field length 262144
************************************************************************Review Information
Review Type TSMA Review Start Date 2003-05-03 00:42 Last Updated 2003-05-03 02:09 Completed 2003-05-03 02:09 Status Complete Review Recommendation Rejected (REJ) Review Response Although the direct cause of this failure is the buffer overflow, the
underlying cause is incorrect configuration of the test suite.
The cpio_cr.sh script has been configured to create a non-POSIX cpio
archive, as can be seen from this line in the trace output:
1597 19569: read(5, " 0 7 0 7 0 1 0 0 0 0 8 5".., 76) = 76
A POSIX cpio archive would have " 0 7 0 7 0 7" on this line.
Because the archive is in the wrong format, the length value obtained
from the file is incorrect, and this leads to too much data being read.
Review Type SA Review Start Date 2003-05-03 01:09 Last Updated 2003-05-03 02:29 Completed 2003-05-03 02:29 Status Complete Review Resolution Rejected (REJ) Review Conclusion This appears to be a problem that can be overcome by reconfiguration of
the test suite. The TSMA therefore rejects the PR as a TSD.
Problem Reporting System Options:
- View Report 2251
- List All PRs
- Search Reports
- Email the System Administrator
- View the The Open Brand Interpretations Database User Manual
Contact the Certification Authority