Skip Menu |

This queue is for tickets about the Socket CPAN distribution.

Report information
The Basics
Id: 76067
Status: resolved
Priority: 0/
Queue: Socket
People
Owner: Nobody in particular
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 2.000
Fixed in: 2.001

History Show all quoted text
  Tue Mar 27 03:21:19 2012 ppisar [...] redhat.com - Ticket created
Subject: Invalid write in XS_Socket_unpack_sockaddr_un()
Fix added in version 2.000: Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char); segfaults sometimes (depends on memory layout). We can reproduce it with .25 probability by running mysql test suite (mysql-test-run script). Simple test "unpack_sockaddr_un(pack_sockaddr_un(q{/tmp/foo})" does not exhibit this issue. The back-trace is: Program terminated with signal 11, Segmentation fault. #0 __memset_sse2 () at ../sysdeps/x86_64/memset.S:333 333 L(P0Q7): mov %rdx,-0x38(%rdi) (gdb) bt full #0 __memset_sse2 () at ../sysdeps/x86_64/memset.S:333 No locals. #1 0x00007ff47a847a10 in memset (__len=56, __ch=0, __dest=0x7fff42cbe264) at /usr/include/bits/string3.h:85 No locals. #2 XS_Socket_unpack_sockaddr_un (my_perl=0x20b2010, cv=<optimized out>) at Socket.xs:715 addr = {sun_family = 1, sun_path = "/tmp/5r1KpX7RwQ/", 'x' <repeats 35 times>, '\000' <repeats 19 times>"\200, \212\271\002\000\000\000\000\b\000\000\000\000\000\000\000\320B\216\002\000\000\000\000\b\030\271\002\000\000\000\000xſ\002\000"} sockaddrlen = 54 sun_ad = <optimized out> addr_len = <optimized out> sun_sv = <optimized out> sp = <optimized out> ax = <optimized out> mark = <optimized out> items = <optimized out> (gdb) fram 2 #2 XS_Socket_unpack_sockaddr_un (my_perl=0x20b2010, cv=<optimized out>) at Socket.xs:715 715 Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char); (gdb) info locals addr = {sun_family = 1, sun_path = "/tmp/5r1KpX7RwQ/", 'x' <repeats 35 times>, '\000' <repeats 19 times>"\200, \212\271\002\000\000\000\000\b\000\000\000\000\000\000\000\320B\216\002\000\000\000\000\b\030\271\002\000\000\000\000xſ\002\000"} sockaddrlen = 54 sun_ad = <optimized out> addr_len = <optimized out> sun_sv = <optimized out> sp = <optimized out> ax = <optimized out> mark = <optimized out> items = <optimized out> (gdb) print sizeof(addr) $1 = 110 (gdb) print sockaddrlen $2 = 54 The problem is in pointer arithmetics: (gdb) print &addr $3 = (struct sockaddr_un *) 0x7fff42cbcb30 (gdb) print &addr+1 $4 = (struct sockaddr_un *) 0x7fff42cbcb9e (gdb) print ((char*)&addr)+1 $5 = 0x7fff42cbcb31 "" You should call: Zero( ((char*)&addr) + sockaddrlen, sizeof(addr)-sockaddrlen, char); instead of: Zero( &addr + sockaddrlen, sizeof(addr)-sockaddrlen, char); otherwise you start zeroing far behind addr structure. See <https://bugzilla.redhat.com/show_bug.cgi?id=806543> for downstream report.
  Tue Mar 27 03:54:37 2012 ppisar [...] redhat.com - Correspondence added
Subject: Re: [rt.cpan.org #76067] AutoReply: Invalid write in XS_Socket_unpack_sockaddr_un()
Date: Tue, 27 Mar 2012 09:54:24 +0200
To: Bugs in Socket via RT <bug-Socket [...] rt.cpan.org>
From: Petr Pisar <ppisar [...] redhat.com>
On Tue, Mar 27, 2012 at 03:21:19AM -0400, Bugs in Socket via RT wrote: Show quoted text
> > You should call: > > Zero( ((char*)&addr) + sockaddrlen, sizeof(addr)-sockaddrlen, char); > > instead of: > > Zero( &addr + sockaddrlen, sizeof(addr)-sockaddrlen, char); >
This patch should fix it: From f76970735bf4f9b2587d109aff732cd5a28b01ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Tue, 27 Mar 2012 09:26:40 +0200 Subject: [PATCH] Fix AF_UNIX sockaddr padding initialization <http://rt.cpan.org/Public/Bug/Display.html?id=76067>. --- Socket.xs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Socket.xs b/Socket.xs index 3999c4b..fc0b39a 100644 --- a/Socket.xs +++ b/Socket.xs @@ -712,7 +712,7 @@ unpack_sockaddr_un(sun_sv) getpeername and getsockname is not equal to sizeof(addr). */ if (sockaddrlen < sizeof(addr)) { Copy(sun_ad, &addr, sockaddrlen, char); - Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char); + Zero(((char*)&addr)+sockaddrlen, sizeof(addr)-sockaddrlen, char); } else { Copy(sun_ad, &addr, sizeof(addr), char); } -- 1.7.9.3
Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

  Tue Mar 27 06:32:29 2012 ppisar [...] redhat.com - Correspondence added
From: ppisar [...] redhat.com
Dne Út 27.bře.2012 03:21:19, ppisar napsal(a): Show quoted text
> Fix added in version 2.000: > > Zero(&addr+sockaddrlen, sizeof(addr)-sockaddrlen, char); > > segfaults sometimes (depends on memory layout).
This the same problem as already reported in 75668.
  Tue Mar 27 09:40:04 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added
On Tue Mar 27 03:21:19 2012, ppisar wrote: Show quoted text
> You should call: > > Zero( ((char*)&addr) + sockaddrlen, sizeof(addr)-sockaddrlen, char); > > instead of: > > Zero( &addr + sockaddrlen, sizeof(addr)-sockaddrlen, char); > > otherwise you start zeroing far behind addr structure.
Ooops that looks a silly one. Yes I'll pop that in now. -- Paul Evans
  Tue Mar 27 09:40:06 2012 The RT System itself - Status changed from 'new' to 'open'
  Wed Mar 28 06:18:28 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'resolved'
  Wed Mar 28 06:18:29 2012 leonerd-cpan [...] leonerd.org.uk - Fixed in 2.001 added
  Wed Mar 28 06:18:39 2012 leonerd-cpan [...] leonerd.org.uk - Told changed from Tue Mar 27 09:40:06 2012 to Wed Mar 28 06:18:37 2012
  Wed Mar 28 06:24:14 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added
Released as 2.001 -- Paul Evans
  Wed Mar 28 06:24:15 2012 The RT System itself - Status changed from 'resolved' to 'open'
  Wed Mar 28 06:24:15 2012 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'resolved'