Discussion:
Bug#933067: atop terminates with buffer overflow
Add Reply
Marcus W
2019-07-26 10:50:01 UTC
Reply
Permalink
Package: atop
Version: 2.4.0-3
Severity: important
Tags: upstream

Dear Maintainer,

atop terminates with
"*** buffer overflow detected ***: atop terminated"
on startup.

Let me know what further informations you need.

Regards,
Marcus

Stack trace:

read(71, "rchar: 0\nwchar: 0\nsyscr: 0\nsyscw"..., 1024) = 90
read(71, "", 1024) = 0
close(71) = 0
getuid() = 0
setresuid(-1, 0, -1) = 0
chdir("..") = 0
chdir("29742") = 0
openat(AT_FDCWD, "stat", O_RDONLY) = 71
fstat(71, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(71, "29742 (CompositorTileW) S 4758 4"..., 3072) = 292
read(71, "", 3072) = 0
close(71) = 0
openat(AT_FDCWD, "status", O_RDONLY) = 71
fstat(71, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(71, "Name:\tCompositorTileW\nUmask:\t002"..., 1024) = 1024
close(71) = 0
setresuid(-1, 0, -1) = 0
openat(AT_FDCWD, "io", O_RDONLY) = 71
fstat(71, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0
read(71, "rchar: 0\nwchar: 0\nsyscr: 0\nsyscw"..., 1024) = 90
read(71, "", 1024) = 0
close(71) = 0
getuid() = 0
setresuid(-1, 0, -1) = 0
chdir("..") = 0
getdents64(70, /* 0 entries */, 32768) = 0
close(70) = 0
chdir("..") = 0
chdir("..") = 0
getdents64(69, /* 0 entries */, 32768) = 0
brk(0x556c33cc4000) = 0x556c33cc4000
close(69) = 0
chdir("/root") = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=339200, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=339200, ...}) = 0
read(3, "\21\3\1\210\t\0\0\0\0\0\0\0\0\0\0\0\234[\0\0\233[\0\0\224\324:]\0\0\0\0"..., 64) = 64
read(3, "\21\3\1\210\t\0\0\0\0\0\0\0\0\0\0\0\235[\0\0\233[\0\0\224\324:]\0\0\0\0"..., 64) = 64
read(3, "\21\3\1\210\t\0\0\0\0\0\0\0\0\0\0\0\237[\0\0\236[\0\0\224\324:]\0\0\0\0"..., 64) = 64
read(3, "\1\3\0\0\0\0\0\0\0\0\0\0\0\0\0\0\365U\0\0\2\0\0\0X\323:]\0\374\366F"..., 64) = 64
mmap(NULL, 1007616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb9f698d000
brk(0x556c33ce5000) = 0x556c33ce5000
brk(0x556c33d06000) = 0x556c33d06000
brk(0x556c33d27000) = 0x556c33d27000
brk(0x556c33d48000) = 0x556c33d48000
brk(0x556c33d69000) = 0x556c33d69000
brk(0x556c33d8a000) = 0x556c33d8a000
brk(0x556c33dab000) = 0x556c33dab000
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
stat("/root/.terminfo", 0x556c33da6fb0) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
stat("/etc/terminfo", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/lib/terminfo", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/usr/share/terminfo", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
access("/etc/terminfo/x/xterm-256color", R_OK) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
access("/lib/terminfo/x/xterm-256color", R_OK) = 0
openat(AT_FDCWD, "/lib/terminfo/x/xterm-256color", O_RDONLY) = 69
fstat(69, {st_mode=S_IFREG|0644, st_size=3555, ...}) = 0
read(69, "\36\2%\0&\0\17\0\235\1\2\6xterm-256color|xterm"..., 32768) = 3555
read(69, "", 28672) = 0
close(69) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=115, ws_col=211, ws_xpixel=0, ws_ypixel=0}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=115, ws_col=211, ws_xpixel=0, ws_ypixel=0}) = 0
brk(0x556c33dd1000) = 0x556c33dd1000
brk(0x556c33df2000) = 0x556c33df2000
brk(0x556c33e13000) = 0x556c33e13000
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig -icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig -icanon echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig -icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
rt_sigaction(SIGTSTP, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=0x7fb9f73b66e0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb9f6e3b840}, NULL, 8) = 0
rt_sigaction(SIGINT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x7fb9f73b65f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb9f6e3b840}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {sa_handler=0x556c32dfe730, sa_mask=[TERM], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb9f6e3b840}, 8) = 0
rt_sigaction(SIGWINCH, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGWINCH, {sa_handler=0x7fb9f73b65e0, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fb9f6e3b840}, NULL, 8) = 0
ioctl(1, TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(1, SNDCTL_TMR_STOP or TCSETSW, {B38400 opost isig -icanon -echo ...}) = 0
ioctl(1, TCGETS, {B38400 opost isig -icanon -echo ...}) = 0
write(1, "\33[?1049h\33[22;0;0t\33[1;115r\33(B\33[m\33"..., 47) = 47
rt_sigaction(SIGINT, {sa_handler=0x556c32dfe730, sa_mask=[INT], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb9f6e3b840}, {sa_handler=0x7fb9f73b65f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb9f6e3b840}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x556c32dfe730, sa_mask=[TERM], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb9f6e3b840}, {sa_handler=0x556c32dfe730, sa_mask=[TERM], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fb9f6e3b840}, 8) = 0
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 69
fstat(69, {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
fstat(69, {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
read(69, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 2335
lseek(69, -1476, SEEK_CUR) = 859
read(69, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\t\0\0\0\t\0\0\0\0"..., 4096) = 1476
close(69) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
openat(AT_FDCWD, "/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = 69
writev(69, [{iov_base="*** ", iov_len=4}, {iov_base="buffer overflow detected", iov_len=24}, {iov_base=" ***: ", iov_len=6}, {iov_base="atop", iov_len=4}, {iov_base=" terminated\n", iov_len=12}], 5) = 50
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb9f73f9000
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid() = 23454
gettid() = 23454
tgkill(23454, 23454, SIGABRT) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=23454, si_uid=0} ---
+++ killed by SIGABRT +++


-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.1.0-18.1-liquorix-amd64 (SMP w/32 CPU cores; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages atop depends on:
ii libc6 2.28-10
ii libncurses6 6.1+20181013-2
ii libtinfo6 6.1+20181013-2
ii lsb-base 10.2019051400
ii zlib1g 1:1.2.11.dfsg-1

Versions of packages atop recommends:
ii cron [cron-daemon] 3.0pl1-134

atop suggests no packages.

-- no debconf information
Marc Haber
2019-07-26 13:30:01 UTC
Reply
Permalink
tags #933067 upstream
forwarded #933067 https://github.com/Atoptool/atop/issues/74
thanks
Post by Marcus W
atop terminates with
"*** buffer overflow detected ***: atop terminated"
on startup.
I have forwarded this upstream.
Post by Marcus W
access("/etc/terminfo/x/xterm-256color", R_OK) = -1 ENOENT (Datei oder Verzeichnis nicht gefunden)
access("/lib/terminfo/x/xterm-256color", R_OK) = 0
This is what I find funny. That file is part of the ncurses-base
package, which is essential. Can you please check whether this package
is present on your system?

Greetings
Marc
Marc Haber
2019-08-03 09:30:02 UTC
Reply
Permalink
Looking at the strace output, the buffer overflow might be caused by calling the localtime() function from the C library. In that case the /etc/localtime file might be corrupted.
See also a similar issue: https://access.redhat.com/solutions/3630021
Can you run 'atop 1 1 | cat' and see if that terminates with the buffer overflow as well?
If it does, the overflow is anyhow not caused by libncurses (not used in this case).
Can you also run ltrace on atop and supply the last 100 lines of the ltrace output?
Mark Welcher
2019-08-12 11:00:02 UTC
Reply
Permalink
Hello Marc,

I can't reproduce this error anymore. The system was running untouched after this Bug appeared. There was no software install reboot or anything done, Not even the local terminal was closed. Now it works just fine using the same conditions as before. As you mentioned that /etc/localtime might be corrupt- just from a filesystem point of view, there was no fs error recorded. And I did not made a copy of the file when the error appeared. The System is also running on ECC Memory. The Integrated Management console did not show anything that would point to a RAM issue. Also there is no MCE Error recorded...

I'm not sure how I can reproduce this error againm or how to proceed further.
Loading...