Ubuntu
aumix package

aumix crash on setting volume on Ubuntu 8.10

Bug #251062 reported by Alex Ott
6
Affects Status Importance Assigned to Milestone
aumix (Ubuntu)
Fix Released
High
Kees Cook
Ubuntu intrepid-alpha-6

Bug Description

Binary package hint: aumix

If i run aumix with command line 'aumix -w +5' then it crashes with following message from libc:
*** buffer overflow detected ***: aumix terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7e7d388]
/lib/tls/i686/cmov/libc.so.6[0xb7e7b4b0]
/lib/tls/i686/cmov/libc.so.6[0xb7e7aa95]
aumix[0x8049cbc]
aumix[0x804a4b0]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7d99685]
aumix(Gpm_Wgetch+0x191)[0x8049451]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:04 18564236 /usr/bin/aumix
0804f000-08050000 r--p 00006000 08:04 18564236 /usr/bin/aumix
08050000-08051000 rw-p 00007000 08:04 18564236 /usr/bin/aumix
08051000-08072000 rw-p 08051000 00:00 0 [heap]
b7c5e000-b7c9d000 r--p 00000000 08:04 18614843 /usr/lib/locale/en_US.utf8/LC_CTYPE
b7c9d000-b7d7e000 r--p 00000000 08:04 18614844 /usr/lib/locale/en_US.utf8/LC_COLLATE
b7d7e000-b7d7f000 rw-p b7d7e000 00:00 0
b7d7f000-b7d81000 r-xp 00000000 08:04 5832838 /lib/tls/i686/cmov/libdl-2.8.90.so
b7d81000-b7d82000 r--p 00001000 08:04 5832838 /lib/tls/i686/cmov/libdl-2.8.90.so
b7d82000-b7d83000 rw-p 00002000 08:04 5832838 /lib/tls/i686/cmov/libdl-2.8.90.so
b7d83000-b7edb000 r-xp 00000000 08:04 5832802 /lib/tls/i686/cmov/libc-2.8.90.so
b7edb000-b7edd000 r--p 00158000 08:04 5832802 /lib/tls/i686/cmov/libc-2.8.90.so
b7edd000-b7ede000 rw-p 0015a000 08:04 5832802 /lib/tls/i686/cmov/libc-2.8.90.so
b7ede000-b7ee2000 rw-p b7ede000 00:00 0
b7ee2000-b7f0f000 r-xp 00000000 08:04 5799956 /lib/libncurses.so.5.6
b7f0f000-b7f12000 rw-p 0002c000 08:04 5799956 /lib/libncurses.so.5.6
b7f12000-b7f17000 r-xp 00000000 08:04 18564954 /usr/lib/libgpm.so.2.0.0
b7f17000-b7f18000 r--p 00004000 08:04 18564954 /usr/lib/libgpm.so.2.0.0
b7f18000-b7f19000 rw-p 00005000 08:04 18564954 /usr/lib/libgpm.so.2.0.0
b7f1b000-b7f27000 r-xp 00000000 08:04 5800161 /lib/libgcc_s.so.1
b7f27000-b7f28000 r--p 0000b000 08:04 5800161 /lib/libgcc_s.so.1
b7f28000-b7f29000 rw-p 0000c000 08:04 5800161 /lib/libgcc_s.so.1
b7f29000-b7f2a000 r--p 00000000 08:04 18613167 /usr/lib/locale/en_US.utf8/LC_NUMERIC
b7f2a000-b7f2b000 r--p 00000000 08:04 18612344 /usr/lib/locale/en_US.utf8/LC_TIME
b7f2b000-b7f2c000 r--p 00000000 08:04 18612345 /usr/lib/locale/en_US.utf8/LC_MONETARY
b7f2c000-b7f2d000 r--p 00000000 08:04 18628654 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7f2d000-b7f2e000 r--p 00000000 08:04 18613179 /usr/lib/locale/en_US.utf8/LC_PAPER
b7f2e000-b7f2f000 r--p 00000000 08:04 18616796 /usr/lib/locale/en_US.utf8/LC_NAME
b7f2f000-b7f30000 r--p 00000000 08:04 18612346 /usr/lib/locale/en_US.utf8/LC_ADDRESS
b7f30000-b7f31000 r--p 00000000 08:04 18612347 /usr/lib/locale/en_US.utf8/LC_TELEPHONE
b7f31000-b7f32000 r--p 00000000 08:04 18612348 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT
b7f32000-b7f39000 r--s 00000000 08:04 18585804 /usr/lib/gconv/gconv-modules.cache
b7f39000-b7f3a000 r--p 00000000 08:04 18612354 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
b7f3a000-b7f3c000 rw-p b7f3a000 00:00 0
b7f3c000-b7f3d000 r-xp b7f3c000 00:00 0 [vdso]
b7f3d000-b7f57000 r-xp 00000000 08:04 5800046 /lib/ld-2.8.90.so
b7f57000-b7f58000 r--p 0001a000 08:04 5800046 /lib/ld-2.8.90.so
b7f58000-b7f59000 rw-p 0001b000 08:04 5800046 /lib/ld-2.8.90.so
bfb85000-bfb9a000 rw-p bffeb000 00:00 0 [stack]
[1] 8338 abort (core dumped) aumix -w +5

Distribution: Ubuntu 8.10
Result of uname -a: Linux alexott 2.6.24-7-generic #1 SMP Thu Feb 7 01:29:58 UTC 2008 i686 GNU/Linux

core is attached

Revision history for this message
Alex Ott (alexott) wrote :
  • core Edit (316.0 KiB, application/octet-stream)
Revision history for this message
BotLobsta (kjenks-deactivatedaccount) wrote :

I have the same problem when I try to step the value of a volume by a specified amount on the command line such as 'aumix -v+10'. However, it does not crash when I just set the value to a certain level, such as 'aumix -v10'. I am running the latest intrepid with the 2.6.27-1-generic amd64 kernel. I wont post my backtrace and memory map because they are pretty much the same (mostly just different addresses) as what has already been reported. However, if they would be useful I can post them.

Revision history for this message
BotLobsta (kjenks-deactivatedaccount) wrote :

After testing all the other versions of aumix located in the repository, I found this to be a regression that was introduced in 2.8-21, the latest version. All of the other versions (2.8-17 through 2.8-20) can step the volume without crashing.

Revision history for this message
Kees Cook (kees) wrote :

This is being seen due to the new compiler flags.

Changed in aumix:
assignee: nobody → kees
importance: Undecided → High
milestone: none → ubuntu-8.10-beta
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

I have found and fixed this problem.

Changed in aumix:
milestone: ubuntu-8.10-beta → intrepid-alpha-6
status: Confirmed → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aumix - 2.8-21ubuntu1

---------------
aumix (2.8-21ubuntu1) intrepid; urgency=low

  * patches/30_noninter_strncpy.patch: fix crash seen with FORTIFY
    enabled (debian bug 497865, LP: #251062).

 -- Kees Cook <email address hidden> Thu, 04 Sep 2008 16:45:34 -0700

Changed in aumix:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.