[Bug 2060538] [NEW] rpcdebug segfault in s390x

Andreas Hasenack 2060538 at bugs.launchpad.net
Mon Apr 8 13:39:28 UTC 2024 

Public bug reported:

Just running rpcdebug in noble on s390x causes a segfault. In gdb we
see:

Breakpoint 1, main (argc=1, argv=0x3ffffffa498) at rpcdebug.c:57
57              cdename = malloc(strlen(basename(argv[0])));
(gdb) n
58              if (cdename == NULL) {
(gdb) n
62              strcpy(cdename, basename(argv[0]));
(gdb) n
*** buffer overflow detected ***: terminated


It's the _FORTIFY_SOURCE=3 that is catching it, but only on s390x. Looks like an off-by-one.

>From the strcpy() manpage:

strcpy()
These  functions copy the string pointed to by src, into a string at the buffer pointed to by dst.  The programmer is responsible for allocating a destination buffer large enough, that is, strlen(src) + 1.  For the difference between the two functions, see RETURN VALUE.

Patch:

--- a/tools/rpcdebug/rpcdebug.c
+++ b/tools/rpcdebug/rpcdebug.c
@@ -54,7 +54,7 @@ main(int argc, char **argv)
 	char *		module = NULL;
 	int		c;
 
-	cdename = malloc(strlen(basename(argv[0])));
+	cdename = malloc(strlen(basename(argv[0])) + 1);
 	if (cdename == NULL) {
 	  fprintf(stderr, "failed in malloc\n");
 	  exit(1);

** Affects: nfs-utils (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nfs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2060538

Title:
  rpcdebug segfault in s390x

Status in nfs-utils package in Ubuntu:
  New

Bug description:
  Just running rpcdebug in noble on s390x causes a segfault. In gdb we
  see:

  Breakpoint 1, main (argc=1, argv=0x3ffffffa498) at rpcdebug.c:57
  57              cdename = malloc(strlen(basename(argv[0])));
  (gdb) n
  58              if (cdename == NULL) {
  (gdb) n
  62              strcpy(cdename, basename(argv[0]));
  (gdb) n
  *** buffer overflow detected ***: terminated

  
  It's the _FORTIFY_SOURCE=3 that is catching it, but only on s390x. Looks like an off-by-one.

  From the strcpy() manpage:

  strcpy()
  These  functions copy the string pointed to by src, into a string at the buffer pointed to by dst.  The programmer is responsible for allocating a destination buffer large enough, that is, strlen(src) + 1.  For the difference between the two functions, see RETURN VALUE.

  Patch:

  --- a/tools/rpcdebug/rpcdebug.c
  +++ b/tools/rpcdebug/rpcdebug.c
  @@ -54,7 +54,7 @@ main(int argc, char **argv)
   	char *		module = NULL;
   	int		c;
   
  -	cdename = malloc(strlen(basename(argv[0])));
  +	cdename = malloc(strlen(basename(argv[0])) + 1);
   	if (cdename == NULL) {
   	  fprintf(stderr, "failed in malloc\n");
   	  exit(1);

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/2060538/+subscriptions

More information about the foundations-bugs mailing list