FS#34788 - alsactl terminates with buffer overflow >= 1.0.27

Attached to Project: Arch Linux
Opened by Peter Weber (hoschi) - Monday, 15 April 2013, 08:10 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 15 April 2013, 13:25 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 14
Private No

Details

Description:
alsactl terminates during bootup with a buffer overflow, since I have installed the current version (1.0.27)


It is possible to set alsa active again and sounds works after this, but during next reboot alsactl terminates again.
If've set this bug to "high", because a major feature is broken. I hope this severity level is okay.

Hardware:

00:00.0 Host bridge: Intel Corporation Core Processor DRAM Controller (rev 02)
00:02.0 VGA compatible controller: Intel Corporation Core Processor Integrated Graphics Controller (rev 02)
00:16.0 Communication controller: Intel Corporation 5 Series/3400 Series Chipset HECI Controller (rev 06)
00:19.0 Ethernet controller: Intel Corporation 82578DM Gigabit Network Connection (rev 06)
00:1a.0 USB controller: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller (rev 06)
00:1b.0 Audio device: Intel Corporation 5 Series/3400 Series Chipset High Definition Audio (rev 06)
00:1d.0 USB controller: Intel Corporation 5 Series/3400 Series Chipset USB2 Enhanced Host Controller (rev 06)
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a6)
00:1f.0 ISA bridge: Intel Corporation 5 Series Chipset LPC Interface Controller (rev 06)
00:1f.2 SATA controller: Intel Corporation 5 Series/3400 Series Chipset 6 port SATA AHCI Controller (rev 06)
00:1f.3 SMBus: Intel Corporation 5 Series/3400 Series Chipset SMBus Controller (rev 06)
ff:00.0 Host bridge: Intel Corporation Core Processor QuickPath Architecture Generic Non-core Registers (rev 02)
ff:00.1 Host bridge: Intel Corporation Core Processor QuickPath Architecture System Address Decoder (rev 02)
ff:02.0 Host bridge: Intel Corporation Core Processor QPI Link 0 (rev 02)
ff:02.1 Host bridge: Intel Corporation Core Processor QPI Physical 0 (rev 02)
ff:02.2 Host bridge: Intel Corporation Core Processor Reserved (rev 02)
ff:02.3 Host bridge: Intel Corporation Core Processor Reserved (rev 02)
I'm not using any special config files or parameters.


Additional info:
* package version(s): 1.0.27-1
* log output of journalctl attached:

Important lines:
Apr 15 09:50:51 ws-lnx-pew systemd[1]: [/usr/lib/systemd/system/alsa-restore.service:15] Failed to parse service type, ignoring: oneshop
...
Apr 15 09:50:55 ws-lnx-pew systemd-udevd[164]: '/usr/sbin/alsactl restore ' [182] terminated by signal 6 (Aborted)
Apr 15 09:50:55 ws-lnx-pew systemd-coredump[205]: Process 182 (alsactl) dumped core.
...
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: *** buffer overflow detected ***: /usr/sbin/alsactl terminated
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: ======= Backtrace: =========
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(__fortify_fail+0x37)[0x7f7c955f6e77]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(+0xf9080)[0x7f7c955f5080]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(+0xf85a9)[0x7f7c955f45a9]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(_IO_default_xsputn+0x89)[0x7f7c95572189]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(_IO_vfprintf+0x516)[0x7f7c955427c6]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(__vsprintf_chk+0x88)[0x7f7c955f4638]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(__sprintf_chk+0x7d)[0x7f7c955f458d]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/sbin/alsactl[0x40aa64]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/sbin/alsactl[0x40a4ea]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/sbin/alsactl[0x405c06]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/lib/libc.so.6(__libc_start_main+0xf5)[0x7f7c9551da15]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: /usr/sbin/alsactl[0x405ded]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: ======= Memory map: ========
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 00400000-00416000 r-xp 00000000 08:01 2251101 /usr/sbin/alsactl
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 00615000-00616000 r--p 00015000 08:01 2251101 /usr/sbin/alsactl
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 00616000-00617000 rw-p 00016000 08:01 2251101 /usr/sbin/alsactl
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 00617000-00618000 rw-p 00000000 00:00 0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 02001000-02022000 rw-p 00000000 00:00 0 [heap]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c94eda000-7f7c94eef000 r-xp 00000000 08:01 2263992 /usr/lib/libgcc_s.so.1
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c94eef000-7f7c950ef000 ---p 00015000 08:01 2263992 /usr/lib/libgcc_s.so.1
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c950ef000-7f7c950f0000 rw-p 00015000 08:01 2263992 /usr/lib/libgcc_s.so.1
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c950f0000-7f7c950f7000 r-xp 00000000 08:01 2228265 /usr/lib/librt-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c950f7000-7f7c952f6000 ---p 00007000 08:01 2228265 /usr/lib/librt-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c952f6000-7f7c952f7000 r--p 00006000 08:01 2228265 /usr/lib/librt-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c952f7000-7f7c952f8000 rw-p 00007000 08:01 2228265 /usr/lib/librt-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c952f8000-7f7c952fb000 r-xp 00000000 08:01 2228324 /usr/lib/libdl-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c952fb000-7f7c954fa000 ---p 00003000 08:01 2228324 /usr/lib/libdl-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c954fa000-7f7c954fb000 r--p 00002000 08:01 2228324 /usr/lib/libdl-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c954fb000-7f7c954fc000 rw-p 00003000 08:01 2228324 /usr/lib/libdl-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c954fc000-7f7c9569f000 r-xp 00000000 08:01 2228263 /usr/lib/libc-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c9569f000-7f7c9589f000 ---p 001a3000 08:01 2228263 /usr/lib/libc-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c9589f000-7f7c958a3000 r--p 001a3000 08:01 2228263 /usr/lib/libc-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c958a3000-7f7c958a5000 rw-p 001a7000 08:01 2228263 /usr/lib/libc-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c958a5000-7f7c958a9000 rw-p 00000000 00:00 0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c958a9000-7f7c958c0000 r-xp 00000000 08:01 2228317 /usr/lib/libpthread-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c958c0000-7f7c95abf000 ---p 00017000 08:01 2228317 /usr/lib/libpthread-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95abf000-7f7c95ac0000 r--p 00016000 08:01 2228317 /usr/lib/libpthread-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95ac0000-7f7c95ac1000 rw-p 00017000 08:01 2228317 /usr/lib/libpthread-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95ac1000-7f7c95ac5000 rw-p 00000000 00:00 0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95ac5000-7f7c95bc2000 r-xp 00000000 08:01 2228264 /usr/lib/libm-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95bc2000-7f7c95dc1000 ---p 000fd000 08:01 2228264 /usr/lib/libm-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95dc1000-7f7c95dc2000 r--p 000fc000 08:01 2228264 /usr/lib/libm-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95dc2000-7f7c95dc3000 rw-p 000fd000 08:01 2228264 /usr/lib/libm-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95dc3000-7f7c95eb2000 r-xp 00000000 08:01 2250978 /usr/lib/libasound.so.2.0.0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c95eb2000-7f7c960b1000 ---p 000ef000 08:01 2250978 /usr/lib/libasound.so.2.0.0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c960b1000-7f7c960b8000 r--p 000ee000 08:01 2250978 /usr/lib/libasound.so.2.0.0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c960b8000-7f7c960ba000 rw-p 000f5000 08:01 2250978 /usr/lib/libasound.so.2.0.0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c960ba000-7f7c960db000 r-xp 00000000 08:01 2228319 /usr/lib/ld-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c962b0000-7f7c962b5000 rw-p 00000000 00:00 0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c962da000-7f7c962db000 rw-p 00000000 00:00 0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c962db000-7f7c962dc000 r--p 00021000 08:01 2228319 /usr/lib/ld-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c962dc000-7f7c962dd000 rw-p 00022000 08:01 2228319 /usr/lib/ld-2.17.so
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7f7c962dd000-7f7c962de000 rw-p 00000000 00:00 0
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7fff70295000-7fff702b6000 rw-p 00000000 00:00 0 [stack]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: 7fff703fe000-7fff70400000 r-xp 00000000 00:00 0 [vdso]
Apr 15 09:51:01 ws-lnx-pew alsactl[231]: ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]


Steps to reproduce:
1. upgrade to current versions
2. reboot system
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 15 April 2013, 13:25 GMT
Reason for closing:  Fixed
Additional comments about closing:  1.0.27-3
Comment by Nick Revin (koshak) - Monday, 15 April 2013, 08:25 GMT
confirm.
First thing to fix is /usr/lib/systemd/system/alsa-restore.service:15
Must be:
[Service]
Type=oneshot
Comment by Peter Weber (hoschi) - Monday, 15 April 2013, 09:07 GMT
You're right! This fixed the first message:
[/usr/lib/systemd/system/alsa-restore.service:15] Failed to parse service type, ignoring: oneshop
The genereal problem remains.

Question:
Did this package ever hit [testing]? Looks, for me, like a direct push to [stable].
I think major upgrades (especially of major packages) should go through [testing].
Comment by Peter Weber (hoschi) - Monday, 15 April 2013, 09:22 GMT
https://bugzilla.redhat.com/show_bug.cgi?id=951750 // upcoming fedora 19, upstream issue?
Comment by Nick Revin (koshak) - Monday, 15 April 2013, 09:37 GMT
yeah, seems the same problem hit fedora...
Comment by Peter Weber (hoschi) - Monday, 15 April 2013, 09:45 GMT
I want report that issue upstream, but I can't reach: https://bugtrack.alsa-project.org/alsa-bug/

You?
Comment by Nick Revin (koshak) - Monday, 15 April 2013, 09:46 GMT
Neither do I :(
Comment by Antonio (kokoko3k) - Monday, 15 April 2013, 10:02 GMT
I'm trying to reach that address since months...
Comment by Peter Weber (hoschi) - Monday, 15 April 2013, 11:14 GMT
Okay. Now we know why the bug exists:
no bug tracker => no bug reports => no bugs are fixed
:-)

Seriously: What are our options? Downgrade? Patch?
Comment by Oleg Nagornij (corner) - Monday, 15 April 2013, 12:08 GMT
arch|~# /usr/sbin/alsactl restore
*** buffer overflow detected ***: /usr/sbin/alsactl terminated
======= Backtrace: =========
/usr/lib/libc.so.6(__fortify_fail+0x45)[0xb74d1405]
/usr/lib/libc.so.6(+0xff3fa)[0xb74cf3fa]
/usr/lib/libc.so.6(+0xfeb68)[0xb74ceb68]
/usr/lib/libc.so.6(_IO_default_xsputn+0x8e)[0xb74410fe]
/usr/lib/libc.so.6(_IO_vfprintf+0x5ba)[0xb741387a]
/usr/lib/libc.so.6(__vsprintf_chk+0xb4)[0xb74cec24]
/usr/lib/libc.so.6(__sprintf_chk+0x2f)[0xb74ceb4f]
/usr/sbin/alsactl[0x8051941]
/usr/sbin/alsactl[0x805134e]
/usr/sbin/alsactl[0x804c522]
/usr/lib/libc.so.6(__libc_start_main+0xf3)[0xb73e97c3]
/usr/sbin/alsactl[0x804c765]
======= Memory map: ========
08048000-0805d000 r-xp 00000000 08:01 1083279 /usr/sbin/alsactl
0805d000-0805e000 r--p 00014000 08:01 1083279 /usr/sbin/alsactl
0805e000-0805f000 rw-p 00015000 08:01 1083279 /usr/sbin/alsactl
0843e000-0845f000 rw-p 00000000 00:00 0 [heap]
b73c0000-b73c1000 rw-p 00000000 00:00 0
b73c1000-b73c8000 r-xp 00000000 08:01 1052780 /usr/lib/librt-2.17.so
b73c8000-b73c9000 r--p 00006000 08:01 1052780 /usr/lib/librt-2.17.so
b73c9000-b73ca000 rw-p 00007000 08:01 1052780 /usr/lib/librt-2.17.so
b73ca000-b73cb000 rw-p 00000000 00:00 0
b73cb000-b73ce000 r-xp 00000000 08:01 1052847 /usr/lib/libdl-2.17.so
b73ce000-b73cf000 r--p 00002000 08:01 1052847 /usr/lib/libdl-2.17.so
b73cf000-b73d0000 rw-p 00003000 08:01 1052847 /usr/lib/libdl-2.17.so
b73d0000-b7579000 r-xp 00000000 08:01 1052777 /usr/lib/libc-2.17.so
b7579000-b757b000 r--p 001a8000 08:01 1052777 /usr/lib/libc-2.17.so
b757b000-b757c000 rw-p 001aa000 08:01 1052777 /usr/lib/libc-2.17.so
b757c000-b757f000 rw-p 00000000 00:00 0
b757f000-b7596000 r-xp 00000000 08:01 1052840 /usr/lib/libpthread-2.17.so
b7596000-b7597000 r--p 00016000 08:01 1052840 /usr/lib/libpthread-2.17.so
b7597000-b7598000 rw-p 00017000 08:01 1052840 /usr/lib/libpthread-2.17.so
b7598000-b759a000 rw-p 00000000 00:00 0
b759a000-b75db000 r-xp 00000000 08:01 1052778 /usr/lib/libm-2.17.so
b75db000-b75dc000 r--p 00040000 08:01 1052778 /usr/lib/libm-2.17.so
b75dc000-b75dd000 rw-p 00041000 08:01 1052778 /usr/lib/libm-2.17.so
b75dd000-b76d1000 r-xp 00000000 08:01 1078679 /usr/lib/libasound.so.2.0.0
b76d1000-b76d5000 r--p 000f3000 08:01 1078679 /usr/lib/libasound.so.2.0.0
b76d5000-b76d6000 rw-p 000f7000 08:01 1078679 /usr/lib/libasound.so.2.0.0
b76da000-b76f5000 r-xp 00000000 08:01 1104283 /usr/lib/libgcc_s.so.1
b76f5000-b76f6000 rw-p 0001a000 08:01 1104283 /usr/lib/libgcc_s.so.1
b76f6000-b76f8000 rw-p 00000000 00:00 0
b76f8000-b76f9000 r-xp 00000000 00:00 0 [vdso]
b76f9000-b7719000 r-xp 00000000 08:01 1052842 /usr/lib/ld-2.17.so
b7719000-b771a000 r--p 0001f000 08:01 1052842 /usr/lib/ld-2.17.so
b771a000-b771b000 rw-p 00020000 08:01 1052842 /usr/lib/ld-2.17.so
bf979000-bf99a000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
Comment by AndrzejL (AndrzejL) - Monday, 15 April 2013, 12:40 GMT
Confirming on 3 i686 machines here.. Unfortunately I have started another task https://bugs.archlinux.org/task/34792 (I did searched - search phrases must have missed this thread).

Regards.

Andrzej
Comment by Tobias Powalowski (tpowa) - Monday, 15 April 2013, 13:03 GMT
Please confirm working in 1.0.27-3.
Comment by Mariusz Libera (mar04) - Monday, 15 April 2013, 13:24 GMT
1.0.27-3 works for me, no buffer overflow, sound level correctly restored after reboot.
Comment by arch user (archuser474747) - Monday, 15 April 2013, 13:24 GMT
fixed for me in 1.0.27-3

thanks mate!

Loading...