Ubuntu
intel-gpu-tools package

intel_bios_reader Segmentation fault

Bug #783716 reported by Emanuel Bronshtein
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xf86-video-intel
Fix Released
Low
intel-gpu-tools (Ubuntu)
Fix Released
Medium
Bryce Harrington

Bug Description

Binary package hint: intel-gpu-tools

/usr/bin/intel_bios_reader crash when get the intel_bios_reader binary as parameter .

test case :
emanuel@emanuel-desktop:/tmp$ md5sum /usr/bin/intel_bios_reader
7277594a2b9588909844115afd36e5ee /usr/bin/intel_bios_reader
emanuel@emanuel-desktop:/tmp$ intel_bios_reader /usr/bin/intel_bios_reader
VBT vers: 295.45
Segmentation fault

under GDB :
Program received signal SIGSEGV, Segmentation fault.
*__GI_strncpy (s1=0xbffff3ea "\377\277)\241\004\b$#*",
    s2=0xd8540589 <Address 0xd8540589 out of bounds>, n=16) at strncpy.c:42
42 strncpy.c: No such file or directory.
 in strncpy.c

the call to strncpy :
 strncpy(signature, (char *)bdb->signature, 16);

after compiling from source code and running under GDB :
(gdb) p bdb->signature
Cannot access memory at address 0xd8540589

Tags: precise
Bryce Harrington (bryce)
Changed in intel-gpu-tools (Ubuntu):
status: New → Triaged
status: Triaged → Confirmed
importance: Undecided → Medium
assignee: nobody → Bryce Harrington (bryce)
tags: added: precise
Revision history for this message
Bryce Harrington (bryce) wrote :

(gdb) run ./tools/intel_bios_reader
Starting program: /home/bryce/src/intel-gpu-tools-1.1/tools/intel_bios_reader ./tools/intel_bios_reader
VBT vers: 295.45

Program received signal SIGSEGV, Segmentation fault.
0x001ab21c in strncpy () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt full
#0 0x001ab21c in strncpy () from /lib/i386-linux-gnu/libc.so.6
No symbol table info available.
#1 0x0804ab16 in main (argc=2, argv=0xbffff274) at intel_bios_reader.c:903
        fd = 7
        vbt = 0xb7ff6f84
        vbt_off = 16260
        bdb_off = 1981846470
        i = 16260
        filename = 0xbffff40d "./tools/intel_bios_reader"
        finfo = {st_dev = 2049, __pad1 = 0, st_ino = 5382091, st_mode = 33277, st_nlink = 1,
          st_uid = 1000, st_gid = 1000, st_rdev = 0, __pad2 = 0, st_size = 41780, st_blksize = 4096,
          st_blocks = 88, st_atim = {tv_sec = 1327433593, tv_nsec = 136981917}, st_mtim = {
            tv_sec = 1327426685, tv_nsec = 802744723}, st_ctim = {tv_sec = 1327426685,
            tv_nsec = 802744723}, __unused4 = 0, __unused5 = 0}
        block = 0x0
        signature = "\000$\303*\000\364\277*\000U<\026\000i\254\004\b"
        devid_string = 0x0

Revision history for this message
In , Bryce Harrington (bryce) wrote :

Forwarding this bug report from Launchpad reporter Emanuel Bronshtein:
https://bugs.launchpad.net/ubuntu/+source/intel-gpu-tools/+bug/783716

(This is kind of a corner case and perhaps not worth fixing, but someone apparently ran into it, so forwarding it here for consideration.)

[Problem]
/usr/bin/intel_bios_reader crash when get the intel_bios_reader binary as parameter .

[test case]
emanuel@emanuel-desktop:/tmp$ md5sum /usr/bin/intel_bios_reader
7277594a2b9588909844115afd36e5ee /usr/bin/intel_bios_reader
emanuel@emanuel-desktop:/tmp$ intel_bios_reader /usr/bin/intel_bios_reader
VBT vers: 295.45
Segmentation fault

under GDB :
Program received signal SIGSEGV, Segmentation fault.
*__GI_strncpy (s1=0xbffff3ea "\377\277)\241\004\b$#*",
    s2=0xd8540589 <Address 0xd8540589 out of bounds>, n=16) at strncpy.c:42
42 strncpy.c: No such file or directory.
 in strncpy.c

the call to strncpy :
 strncpy(signature, (char *)bdb->signature, 16);

after compiling from source code and running under GDB :
(gdb) p bdb->signature
Cannot access memory at address 0xd8540589

Still affects current git head.
(gdb) run ./tools/intel_bios_reader
Starting program: /home/bryce/src/intel-gpu-tools-1.1/tools/intel_bios_reader ./tools/intel_bios_reader
VBT vers: 295.45

Program received signal SIGSEGV, Segmentation fault.
0x001ab21c in strncpy () from /lib/i386-linux-gnu/libc.so.6
(gdb) bt full
#0 0x001ab21c in strncpy () from /lib/i386-linux-gnu/libc.so.6
No symbol table info available.
#1 0x0804ab16 in main (argc=2, argv=0xbffff274) at intel_bios_reader.c:903
        fd = 7
        vbt = 0xb7ff6f84
        vbt_off = 16260
        bdb_off = 1981846470
        i = 16260
        filename = 0xbffff40d "./tools/intel_bios_reader"
        finfo = {st_dev = 2049, __pad1 = 0, st_ino = 5382091, st_mode = 33277, st_nlink = 1,
          st_uid = 1000, st_gid = 1000, st_rdev = 0, __pad2 = 0, st_size = 41780, st_blksize = 4096,
          st_blocks = 88, st_atim = {tv_sec = 1327433593, tv_nsec = 136981917}, st_mtim = {
            tv_sec = 1327426685, tv_nsec = 802744723}, st_ctim = {tv_sec = 1327426685,
            tv_nsec = 802744723}, __unused4 = 0, __unused5 = 0}
        block = 0x0
        signature = "\000$\303*\000\364\277*\000U<\026\000i\254\004\b"
        devid_string = 0x0

The code has a check to look for a VBT signature; presumably the intel_bios_reader executable has this signature included in it?

Bug Watch Updater (bug-watch-updater)
Changed in xserver-xorg-video-intel:
importance: Unknown → Low
status: Unknown → Confirmed
Revision history for this message
In , Chris Wilson (ickle) wrote :

commit 1ffe6b0ee8decc02edb48ab197a869e1d7783a2b
Author: Chris Wilson <email address hidden>
Date: Wed Jan 25 10:11:49 2012 +0000

    intel_bios_reader: Sanitize input to ensure all data blocks are within bound

    Running intel_bios_reader upon itself causes the reader to crash and
    burn. It obviously finds a VBT signature inside the binary, but then
    does not rigorously check that all data blocks are valid before
    dereferencing them.

    Reported-by: Emanuel Bronshtein
    Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=45205
    Signed-off-by: Chris Wilson <email address hidden>

Bug Watch Updater (bug-watch-updater)
Changed in xserver-xorg-video-intel:
status: Confirmed → Fix Released
Revision history for this message
Bryce Harrington (bryce) wrote :

The upstream fix for this bug is included in intel-gpu-tools 1.2, which is being packaged in Debian and will be sync'd or merged into Ubuntu when it's ready to go. We can close out this bug report at that time.

Changed in intel-gpu-tools (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package intel-gpu-tools - 1.2-1~pre0ubuntu1

---------------
intel-gpu-tools (1.2-1~pre0ubuntu1) precise; urgency=low

  * Merge proposed package from Tormod Volden for upstream release 1.2.
    + intel_bios_reader: Sanitize input to ensure all data blocks
      are within bound.
      (LP: #783716)
  * Drop ubuntu changes (taken upstream)
 -- Bryce Harrington <email address hidden> Tue, 06 Mar 2012 15:18:21 -0800

Changed in intel-gpu-tools (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.