Property buffer overflow starting at 0.17.4

Question

Property buffer overflow starting at 0.17.4

wmww opened this issue 3 years ago · comments

Commit b781cf6 broke Mir's umockdev tests (canonical/mir#2285). We get this error:

ERROR: uevent_sender_send: Property buffer overflow
Aborted (core dumped)

In GDB, I tracked down the problem to calling append_property() with a name that is too long for the size. On my machine, the name is (note that snaps I have installed seem to be included, no idea why):

(gdb) p name
$2 = 0x555557184f80 "DEVNAME=dri/card0DEVTYPE=drm_minor\nMAJOR=226\nMINOR=0\nSUBSYSTEM=drm\nID_PATH=pci-0000:00:02.0\nID_PATH_TAG=pci-0000_00_02_0\nID_FOR_SEAT=drm-pci-0000_00_02_0\nDEVLINKS=/dev/dri/by-path/pci-0000:00:02.0-card\nTAGS=:uaccess:snap_glimpse-editor_glimpse-editor:master-of-seat:snap_qemu-virgil_arm:snap_snap-store_ubuntu-software-local-file:snap_chromium_chromedriver:snap_super-cool-app_super-cool-app:snap_fluffychat_fluffychat:snap_flokk-contacts_flokk-contacts:snap_krita_krita:snap_qemu-virgil_qemu-virgil:snap_chromium_chromium:seat:snap_qemu-virgil_arm64:snap_firefox_firefox:snap_vlc_vlc:snap_snap-store_snap-store:snap_snap-store_ubuntu-software:snap_google-play-music-desktop-player_google-play-music-desktop-player:snap_discord_discord:\nCURRENT_TAGS=:snap_flokk-contacts_flokk-contacts:snap_chromium_chromium:snap_discord_discord:uaccess:snap_super-cool-app_super-cool-app:snap_fluffychat_fluffychat:snap_vlc_vlc:snap_snap-store_snap-store:snap_qemu-virgil_arm64:snap_qemu-virgil_arm:master-of-seat:snap_google-play-music-desktop-player_google-play-music-desktop-player:snap_glimpse-editor_glimpse-editor:snap_chromium_chromedriver:seat:snap_qemu-virgil_qemu-virgil:snap_firefox_firefox:snap_snap-store_ubuntu-software:snap_krita_krita:snap_snap-store_ubuntu-software-local-file:\n"

The length of that is 1281, just above the 1024 cap.

Martin Pitt · Answer 1 · Fri Jan 21 2022 17:34:50 GMT+0800 (China Standard Time)

Ugh, thanks for the report! The /umockdev-testbed/uevent/action_overflow check is supposed to catch this, but doesn't. I'll investigate.

Martin Pitt · Answer 2 · Fri Jan 21 2022 17:47:26 GMT+0800 (China Standard Time)

Ah wait, it does not actually segfault -- it's doing exactly as desired, aborting with that message before it segfaults phew. So indeed I only need to bump the buffer size.

Martin Pitt · Answer 3 · Fri Jan 21 2022 20:24:12 GMT+0800 (China Standard Time)

Released as 0.17.6. I uploaded it to Debian unstable, so it should reach Ubuntu jammy over the weekend.

Sophie Winter · Answer 4 · Fri Jan 21 2022 22:07:19 GMT+0800 (China Standard Time)

Thanks for the fast response!