[Bug 310711] New: akonadiserver crashes on malformed input to UNIX socket

Tim Brown kde at machine.org.uk
Mon Nov 26 14:11:45 GMT 2012 

https://bugs.kde.org/show_bug.cgi?id=310711

            Bug ID: 310711
          Severity: normal
           Version: 1.7.2
          Priority: NOR
          Assignee: kdepim-bugs at kde.org
           Summary: akonadiserver crashes on malformed input to UNIX
                    socket
    Classification: Unclassified
                OS: Linux
          Reporter: kde at machine.org.uk
          Hardware: Other
            Status: UNCONFIRMED
         Component: server
           Product: Akonadi

Hi,

I don't believe this is a security flaw as it affects the UNIX socket which is
only accessible to the root and owner user.  However, I found that
akonadiserver crashes on malformed input.  Reproducer as follows:

$ perl -e 'print "\n"' | socat
UNIX:/tmp/akonadi-tmb.HoHuFd/akonadiserver.socket STDIO

This results in:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f6013fe7700 (LWP 15368)]
0x00000000004db260 in ?? ()
(gdb) bt
#0  0x00000000004db260 in ?? ()
#1  0x00000000004233bf in ?? ()
#2  0x00007f6021a5f54f in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#3  0x00007f6021a5f54f in QMetaObject::activate(QObject*, QMetaObject const*,
int, void**) () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#4  0x00007f602165036c in ?? () from
/usr/lib/x86_64-linux-gnu/libQtNetwork.so.4
#5  0x00007f6021654952 in QAbstractSocket::waitForBytesWritten(int) () from
/usr/lib/x86_64-linux-gnu/libQtNetwork.so.4
#6  0x00000000004228c3 in ?? ()
#7  0x0000000000422cce in ?? ()
#8  0x00007f602194ed0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4
#9  0x00007f601fc5fb50 in start_thread (arg=<optimized out>) at
pthread_create.c:304
#10 0x00007f601ff4fa7d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#11 0x0000000000000000 in ?? ()
(gdb) x/1i $pc
=> 0x4db260:    mov    0x8(%rsi),%rax
(gdb) i r rsi rax
rsi            0x0      0
rax            0x1      1

$rax is the number of bytes that the user has supplied.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Kdepim-bugs mailing list