Format string overflow in Monitor.c:check_array

StacktraceTop:
 __libc_message (do_abort=2, fmt=0xb76aedde "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
 __GI___fortify_fail (msg=0xb76aed5f "buffer overflow detected") at fortify_fail.c:32
 __GI___chk_fail () at chk_fail.c:29
 _IO_str_chk_overflow (fp=0xbfa3b200, c=49) at vsprintf_chk.c:35
 _IO_default_xsputn (f=0xbfa3b200, data=0xbfa3b143, n=1) at genops.c:485

Status changed to 'Confirmed' because the bug affects multiple users.

From the stack trace the culprit is:

                        char cnt[40];
                        sprintf(cnt, " mismatches found: %d (on raid level %d)",
                                sra->mismatch_cnt, array.level);
                        alert("RebuildFinished", dev, cnt, ainfo);

If mismatch_cnt > 99, then the buffer will overflow. In the crash report, it looks like the submitter had 1536 in mismatch_cnt.

It looks like this has already been fixed in Quantal, which now has:

                       char cnt[80];
                        snprintf(cnt, sizeof(cnt),
                                 " mismatches found: %d (on raid level %d)",
                                sra->mismatch_cnt, array.level);
                        alert("RebuildFinished", dev, cnt, ainfo);

Lucid, Natty and Oneiric use a shorter format string, so I don't think this bug exists there. So Precise is the only version affected.

Marking this as Fix Released as it is fixed in Quantal, and nominating Precise.

Marking as Importance: High. The chances of this happening is fairly low, but if it does then mdadm will crash and administrators will lose RAID monitoring, quite possibly without noticing.

Debdiff attached, which backports the upstream fix. Note that the return value of snprintf isn't being checked, which ideally it should be to code this defensively. But that's what upstream have done, and with 32-bit integers an 80-byte buffer will always be big enough in this case, so I think it is acceptable for Precise.

I have test built this, but have not done any further testing as I don't have suitable hardware available. This is one of those cases where the fix is trivial yet testing is very awkward.

80 bytes may not be enough on a server running in 64-bit mode with a large disk/array, given that the format string is 41 bytes lonmg - including 2 '%d' variables . How many digits could there be in the longest possible number of mis-matches on a system that has a raid partition of maximum supported size?

I understand that it's not perfect, but this is the fix that is upstream and in Quantal. If we wanted to fix the problem differently from upstream, we'd need to also do it in Quantal and carry a delta as a minimum, and ideally forward the patch to upstream as well.

The format string is 39 bytes long, less two '%d's so 35 (excluding the null terminator). It does not appear to be i8n-ised. How did you get 41?

"%d" expects a plain int, which is still 32 bits on amd64 on Precise. And mismatch_cnt is a plain int, so 32 bits too. Or is there an option somewhere that is making ints bigger? And the second %d is just the raid level, which I don't expect to be bigger than two decimal digits anyway.

Even if the %d did expand a 64-bit number, then it'd expand to at most 20 bytes (including the sign). Assuming that the raid level is at most two bytes, the string would be a maximum of 58 bytes including the null terminator, which is less than the 80 now allocated.

Even if both %ds expanded full 64-bit integers (just in case the user happens to be using a RAID level of -9223372036854775808), that'd be 35+40+1=76 which is still under 80.

I'm just following the path of least resistance by doing what upstream has done. We can go beyond that if necessary, by patching Quantal and ideally upstream as well. I don't it is necessary here, but I'd appreciate input from a sponsor on this. If you care, then a new upstream bug and patch would be appropriate.

Dmitrij plans to do a mdadm SRU soon and says that this fix will be included in the upload, unsubscribing sponsors and assigning to him

Hello Steve, or anyone else affected,

Accepted mdadm into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/mdadm/3.2.5-1ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.