Bug 42725 - Integer overflow when checking free space
Integer overflow when checking free space
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Listener (univention-directory-listener)
UCS 4.1
i386 Linux
: P3 normal (vote)
: UCS 4.1-3-errata
Assigned To: Philipp Hahn
Felix Botner
:
Depends on: 41842 42573
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-21 10:59 CEST by Philipp Hahn
Modified: 2016-10-21 14:28 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.400
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2016-10-21 10:59:05 CEST
We calculate the free space in bytes, which overflows sizeof(int)=32 on i386
+++ This bug was initially created as a clone of Bug #42573 +++
Comment 1 Philipp Hahn univentionstaff 2016-10-21 12:41:15 CEST
The bug happens when the free space is in a certain range:
 printf "%'08x\n" $(($(stat -f -c %a*%S /var/lib/univention-directory-listener)))
 # 180.000.000
   ^^
   |+- if bit31 is set, the right-shift creates a negative value
   +-- bits32+ are stripped because of the cast to (long)

/etc/init.d/univention-directory-listener stop
cd /var/lib/univention-directory-listener
mount -t tmpfs -o size=7G xxx /var/lib/univention-directory-listener
printf '%x\n' $(stat -f -c %a /var/lib/univention-directory-listener)
cp -pr * /var/lib/univention-directory-listener/
/etc/runit/univention-directory-listener/run
umount $PWD
/etc/init.d/univention-directory-listener start

r73434 | Bug #42725 listener: Fix integer overflow
r73435 | Bug #42725 listener: Fix integer overflow

Package: univention-directory-listener
Version: 10.0.0-20.338.201610211230
Branch: ucs_4.1-0
Scope: errata4.1-3

r73436 | Bug #42725 listener: Fix integer overflow YAML
 univention-directory-listener.yaml
Comment 2 Felix Botner univentionstaff 2016-10-21 14:03:01 CEST
OK - reproduced on 32bit, fixed with 10.0.0-20.338.201610211230
OK - yaml
OK - merged to 4.2
Comment 3 Janek Walkenhorst univentionstaff 2016-10-21 14:28:43 CEST
<http://errata.software-univention.de/ucs/4.1/313.html>