Howto resolv addresses in *** buffer overflow detected *** Backtrace after the fact

[Daniel P. Berrange]

On Tue, Dec 11, 2007 at 09:57:57PM +0100, Hans de Goede wrote:
> Hi,
> 
> I just received a bug report with a backtrace generated by glibc attached:
> https://bugzilla.redhat.com/attachment.cgi?id=284591
> 
> Looks like a real bug however the reported desn't know exactly what he did 
> to trigger this, so now I want to convert the backtrace glibc generated 
> into one with filenames and line numbers for the addresses of the xfig 
> stack frames.
> 
> Can anyone tell me how to do this?

The following seems to work....

 # yum --enablerepo=development-debuginfo install xfig-debuginfo

 # gdb /usr/bin/xfig-plain

(gdb) list *0x4a3909
0x4a3909 is in reset_topruler (/usr/include/bits/stdio2.h:34).
29
30      #ifdef __va_arg_pack
31      __extern_always_inline int
32      __NTH (sprintf (char *__restrict __s, __const char *__restrict __fmt, ...))
33      {
34        return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
35                                        __bos (__s), __fmt, __va_arg_pack ());
36      }
37      #elif !defined __cplusplus
38      # define sprintf(str, ...) \


So the code is a sprintf call from the reset_topruler method.

Looking at that method, we can see an likely candidate:

(gdb) list reset_topruler 
1160    /* Note: For reset_top/sideruler to work properly, the value of skip should be
1161     * such that (skip/ruler_unit) is an integer or (ruler_unit/skip) is an integer.
1162     */
1163
1164    void reset_topruler(void)
1165    {
1166        register int    i,k;
1167        register tick_info* tk;
1168        register Pixmap p = topruler_pm;
1169        char            number[6];
(gdb) list +
1170        int             X0,len;
1171        int             tickmod, tickskip;
1172
1173        /* top ruler, adjustments for digits are kludges based on 6x13 char */
1174        XFillRectangle(tool_d, p, tr_erase_gc, 0, 0, TOPRULER_WD, TOPRULER_HT);
1175
1176        /* set the number of pixels to skip between labels and precision for float */
1177        get_skip_prec();
1178
1179        X0 = BACKX(0);
(gdb) list +
1180        X0 -= (X0 % skip);
1181        tickmod = (int) round(ruler_unit/appres.userscale);
1182        if (tickmod == 0)
1183            tickmod = 1;
1184
1185        /* see how big a label is to adjust spacing, if necessary */
1186        sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
1187        len = XTextWidth(roman_font, number, strlen(number));
1188        while (skipx < (len + 5)/zoomscale) {
1189            skip *= 2;


Line 1186 is printing a string into a fixed length buffer with no
checking. A clear buffer overflow candidate there if the combo of
the ruler size & the figure units are longer than 5 characters :-(

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|