Ubuntu
pciutils package

lspci crashed with SIGSEGV in pci_load_name_list() (with invalid parameter to -i)

Bug #690431 reported by Alejandro R. Mosteo
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
pciutils (Ubuntu)
Fix Released
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned

Bug Description

lspci crashes when receiving improper arguments.

Steps to reproduce:

$ sudo -s
# uname -a
Linux tacitus 2.6.35-23-generic #41-Ubuntu SMP Wed Nov 24 10:18:49 UTC 2010 i686 GNU/Linux
# lspci -vvii
Segmentation fault
# gdb --args lspci -vvii
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/lspci...(no debugging symbols found)...done.
(gdb) run
Starting program: /usr/bin/lspci -vvii

Program received signal SIGSEGV, Segmentation fault.
0x00252f34 in ?? () from /lib/libc.so.6
(gdb) bt
#0 0x00252f34 in ?? () from /lib/libc.so.6
#1 0x00133de4 in pci_load_name_list () from /usr/lib/libpci.so.3
#2 0x00132d4a in pci_lookup_name () from /usr/lib/libpci.so.3
#3 0x08049fca in ?? ()
#4 0x0804a4ae in ?? ()
#5 0x0804bca0 in ?? ()
#6 0x00151ce7 in __libc_start_main () from /lib/libc.so.6
#7 0x08048f51 in ?? ()
(gdb) quit

Tags: maverick
Revision history for this message
Alejandro R. Mosteo (mosteo) wrote :

I installed package libc6-dbg and the backtrace gives this additional information:

Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1279
1279 ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S: No such file or directory.
 in ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S
(gdb) bt
#0 __memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1279
#1 0x00133de4 in pci_load_name_list () from /usr/lib/libpci.so.3
#2 0x00132d4a in pci_lookup_name () from /usr/lib/libpci.so.3
#3 0x08049fca in ?? ()
#4 0x0804a4ae in ?? ()
#5 0x0804bca0 in ?? ()
#6 0x00151ce7 in __libc_start_main (main=0x804b960, argc=2, ubp_av=0xbffff664, init=0x80530d0, fini=0x80530c0, rtld_fini=0x11eac0 <_dl_fini>,
    stack_end=0xbffff65c) at libc-start.c:226
#7 0x08048f51 in ?? ()

Fabio Marconi (fabiomarconi)
affects: ubuntu → gdb (Ubuntu)
tags: added: maverick
Revision history for this message
Rajeev (rajeeja) wrote :

The same error from a different program. It comes from /user/include/c++/4.4/bits/vector.tcc:330

basically libstdc++.so.6 object has issues..

"
Program received signal SIGSEGV, Segmentation fault.
__memcpy_ssse3_rep () at ../sysdeps/i386/i686/multiarch/memcpy-ssse3-rep.S:1279
"

Colin Watson (cjwatson)
affects: gdb (Ubuntu) → pciutils (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pciutils (Ubuntu):
status: New → Confirmed
Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

Still happens on Raring in pciutils 1:3.1.9-6ubuntu1

The problem here is that the argument 'i' is supposed to take a filename; and in this case it's the second i that's being taken as the filename,

names-parse.c has a broken check for the filename; it's expecting it to end in .gz which it strips off; however since this string is less than 3 chars it gets rather confused.

Changed in pciutils (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
summary: - Segmentation fault in lspci
+ Segmentation fault in lspci with invalid parameter to -i
gad man (gadman)
summary: - Segmentation fault in lspci with invalid parameter to -i
+ Ispci crashed with SIGSEGV in pci_load_name_list()
Dave Gilbert (ubuntu-treblig)
summary: - Ispci crashed with SIGSEGV in pci_load_name_list()
+ Ispci crashed with SIGSEGV in pci_load_name_list() (with invalid
+ parameter to -i)
Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

Confirmed this still happens on debian and upstream's pciutils-3.1.10; I can see a trivial fix to lib/names-parse.c:

  if (len >= 3 && memcmp(a->id_file_name + len - 3, ".gz", 3) != 0)
    return result;

to become
  if (len <3 || memcmp(a->id_file_name + len - 3, ".gz", 3) != 0)
    return result;

but I've mailed the upstream author to clarify why that function is as complex as it is.

Dave

summary: - Ispci crashed with SIGSEGV in pci_load_name_list() (with invalid
+ lspci crashed with SIGSEGV in pci_load_name_list() (with invalid
parameter to -i)
Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

It looks like upstream has taken my patch (as their bbd5d5633abfb070ed40b8452808029cc775f02a ) and it should be in 3.2.0 whenever that happens

Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

3.2.1-1 is in Jessie, so if we sinked that we should fix this bug.

Revision history for this message
Tim Gardner (timg-tpi) wrote :

Uploaded pciutils (1:3.2.1-1ubuntu1)

Changed in pciutils (Ubuntu Trusty):
status: Triaged → Fix Released
Revision history for this message
Dave Gilbert (ubuntu-treblig) wrote :

Thanks Tim; seems to work.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.