123246 – kpilotDaemon crashes with buffer overflow

Bug 123246 - kpilotDaemon crashes with buffer overflow

Summary: kpilotDaemon crashes with buffer overflow

Status:	RESOLVED FIXED

Alias:	None

Product:	kpilot
Classification:	Applications
Component:	kpilotDaemon (show other bugs)
Version:	unspecified
Platform:	Fedora RPMs Linux

Importance:	NOR crash
Target Milestone:	---
Assignee:	groot

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-03-07 21:40 UTC by David W. Legg
Modified:	2006-05-03 15:45 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description David W. Legg 2006-03-07 21:40:19 UTC

Version:           4.6.0 (blivit) (using KDE KDE 3.5.1)
Installed from:    Fedora RPMs
Compiler:          gcc-4.1.0-2 
OS:                Linux

When kpilotDaemon is started by hand as a humble user it immediately crashes.
Fedora Core 5 Test 3 on AMD64 x86_64 arch

i.e
[daddy@arcturus ~]$ kpilotDaemon -v
Qt: 3.3.5
KDE: 3.5.1-2.3 Red Hat
KPilot Daemon: 4.6.0 (blivit)

[daddy@arcturus ~]$ kpilotDaemon
[daddy@arcturus ~]$ *** buffer overflow detected ***: kpilotDaemon terminated
======= Backtrace: =========
/lib64/libc.so.6(__chk_fail+0x2f)[0x3736fded9f]
/lib64/libc.so.6[0x3736fdf3cb]
/usr/lib64/libpisock.so.9[0x373642436e]
/usr/lib64/libpisock.so.9(pi_bind+0x50)[0x3736426310]
/usr/lib64/libkpilot.so.0(_ZN16KPilotDeviceLink4openE7QString+0x36f)[0x3736a1e7ff]
/usr/lib64/libkpilot.so.0(_ZN16KPilotDeviceLink10openDeviceEv+0xb2)[0x3736a1fb32]
/usr/lib64/libkpilot.so.0(_ZN16KPilotDeviceLink9qt_invokeEiP8QUObject+0x9b)[0x3736a1fdeb]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN7QObject15activate_signalEP15QConnectionListP8QUObject+0x149)[0x373aa5d009]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN7QObject15activate_signalEi+0xb0)[0x373aa5d9b0]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN6QTimer5eventEP6QEvent+0x25)[0x373aa80545]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN12QApplication14internalNotifyEP7QObjectP6QEvent+0x85)[0x373a9fc935]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN12QApplication6notifyEP7QObjectP6QEvent+0xa4)[0x373a9fde14]
/usr/lib64/libkdecore.so.4(_ZN12KApplication6notifyEP7QObjectP6QEvent+0x168)[0x373b2e1e78]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN10QEventLoop14activateTimersEv+0x229)[0x373a9f1bb9]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN10QEventLoop13processEventsEj+0x4e1)[0x373a9abb31]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN10QEventLoop9enterLoopEv+0x41)[0x373aa141e1]
/usr/lib64/qt-3.3/lib/libqt-mt.so.3(_ZN10QEventLoop4execEv+0x2a)[0x373aa140ba]
kpilotDaemon[0x415476]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3736f1d084]
kpilotDaemon(_ZN6QFrame10paintEventEP11QPaintEvent+0x41)[0x40f079]
======= Memory map: ========
00400000-0043c000 r-xp 00000000 08:02 522520                             /usr/bin/kpilotDaemon
0053c000-00643000 rw-p 0003c000 08:02 522520                             /usr/bin/kpilotDaemon
00643000-00805000 rw-p 00643000 00:00 0                                  [heap]
3736200000-3736219000 r-xp 00000000 08:02 4667526                        /lib64/ld-2.3.91.so
3736319000-373631a000 r--p 00019000 08:02 4667526                        /lib64/ld-2.3.91.so
373631a000-373631b000 rw-p 0001a000 08:02 4667526                        /lib64/ld-2.3.91.so
3736400000-3736433000 r-xp 00000000 08:02 3100919                        /usr/lib64/libpisock.so.9.0.0
3736433000-3736532000 ---p 00033000 08:02 3100919                        /usr/lib64/libpisock.so.9.0.0
3736532000-3736537000 rw-p 00032000 08:02 3100919                        /usr/lib64/libpisock.so.9.0.0
3736600000-37366c5000 r-xp 00000000 08:02 1883087                        /usr/lib64/libkabc.so.1.2.0
37366c5000-37367c5000 ---p 000c5000 08:02 1883087                        /usr/lib64/libkabc.so.1.2.0
37367c5000-37367cf000 rw-p 000c5000 08:02 1883087                        /usr/lib64/libkabc.so.1.2.0
3736800000-3736827000 r-xp 00000000 08:02 1883086                        /usr/lib64/libkresources.so.1.2.0
3736827000-3736927000 ---p 00027000 08:02 1883086                        /usr/lib64/libkresources.so.1.2.0
3736927000-373692a000 rw-p 00027000 08:02 1883086                        /usr/lib64/libkresources.so.1.2.0
3736a00000-3736a3a000 r-xp 00000000 08:02 3100920                        /usr/lib64/libkpilot.so.0.0.0
3736a3a000-3736b39000 ---p 0003a000 08:02 3100920                        /usr/lib64/libkpilot.so.0.0.0
3736b39000-3736b3c000 rw-p 00039000 08:02 3100920                        /usr/lib64/libkpilot.so.0.0.0
3736f00000-3737032000 r-xp 00000000 08:02 4667529                        /lib64/libc-2.3.91.so
3737032000-3737131000 ---p 00132000 08:02 4667529                        /lib64/libc-2.3.91.so
3737131000-3737135000 r--p 00131000 08:02 4667529                        /lib64/libc-2.3.91.so
3737135000-3737136000 rw-p 00135000 08:02 4667529                        /lib64/libc-2.3.91.so
3737136000-373713b000 rw-p 3737136000 00:00 0
3737200000-3737280000 r-xp 00000000 08:02 4667545                        /lib64/libm-2.3.91.so
3737280000-3737380000 ---p 00080000 08:02 4667545                        /lib64/libm-2.3.91.so
3737380000-3737381000 r-KCrash: Application 'kpilotDaemon' crashing...

Comment 1 Philip Rodrigues 2006-03-07 22:44:20 UTC

You seem to suggest that starting it as someone other than "a humble user" (ie, root) works. Is that the case? Also, you mention starting it "manually" - does that mean the starting it from the K menu works correctly? What about if you try with a newly-created user?

Comment 2 groot 2006-03-07 23:23:53 UTC

On Tuesday 07 March 2006 21:40, David W.Legg wrote:
> When kpilotDaemon is started by hand as a humble user it immediately
> crashes. Fedora Core 5 Test 3 on AMD64 x86_64 arch

I suspect this is more one for the Fedora bug database than for KDE.

> /usr/lib64/libpisock.so.9[0x373642436e]
> /usr/lib64/libpisock.so.9(pi_bind+0x50)[0x3736426310]
> /usr/lib64/libkpilot.so.0(_ZN16KPilotDeviceLink4openE7QString+0x36f)[0x3736
>a1e7ff]

Which pilot-link version? That's pretty critical here - FC has a history of 
Doing The Wrong Thing (tm) with p-l. In any case, I'm in no position to make 
changes to fix such a problem on an OS I don't have - you really will have to 
build from source (RPMs).

Comment 3 David W. Legg 2006-03-08 18:29:37 UTC

Reply to Philip:
Perhaps I mislead you, Philip.
kpilotDaemon does *not* work as root either.

KpilotDaemon also falls over when it is started from kpilot, i.e. when kpilot was started from the K menu.

I know of no circumstances in which kpilotDaemon works. Hope that's clear now.

Comment 4 David W. Legg 2006-03-08 18:36:38 UTC

Reply to groot:
I have reported this bug in the Fedora bugzilla, but nobody has taken any interest as yet.  I suspect it is a problem provoked by gcc V4.1.  I have read that it has automatic buffer overflow protection, so that would fit with the crash reported above.

How do I find out which pilot-link version, please?
/usr/lib64/libkpilot.so.0 comes from the kdepim-3.5.1-1.2 RPM.
KpilotDaemon is 'KPilot Daemon: 4.6.0 (blivit)'.

I am very happy to build a source RPM if tell me which one, and any patches, flags etc needed to make the diagnosis or try out fixes.

Now is the time to nail this one, because FC5 goes live next week.
Cheers.

Comment 5 Rex Dieter 2006-03-08 18:44:30 UTC

FYI, Fedora Core 4/5 (currently) uses pilot-link-0.12.0-0.pre4, which is probably part of the problem (using an unsupported/unofficial prerelease).

Comment 6 David W. Legg 2006-03-08 18:49:32 UTC

Ah, founnd it. It's pilot-link-0.12.0-0.pre4.5.2.1.

Comment 7 Rex Dieter 2006-03-08 18:52:03 UTC

For completeness, David, can you provide a reference to Fedora's bugzilla entry?

Comment 8 David W. Legg 2006-03-08 19:22:32 UTC

xref to RedHat: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=183266

Comment 9 David W. Legg 2006-05-03 15:30:30 UTC

Now fixed in FC5 updates.

Comment 10 groot 2006-05-03 15:45:48 UTC

Fixed downstream in FC5.