View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0000641fileGeneralpublic2025-04-09 07:222025-05-09 11:23
ReporterBun Assigned To 
PriorityhighSeveritycrashReproducibilityalways
Status newResolutionopen 
Platformx86_64OSNixosOS VersionUnstable
Product Version5.46 
Summary0000641: Buffer overflow with executables built with Yocto
DescriptionI ran into this when building an SDK, which is a yocto operation where a bunch of native applications are being built. File is being called as part of that process, which crashes with a buffer overflow.

$ file pcprofiledump
*** buffer overflow detected ***: terminated
Aborted (core dumped)

Steps To Reproducefile pcprofiledump
TagsNo tags attached.

Activities

Bun

2025-04-09 07:22

reporter  

pcprofiledump (21,465 bytes)    
ELF>0$@�K@8
@! @@@����   II000��p<pLpL��<�L�LPP@@XXXDDS�td@@P�td�2�2�2TTQ�tdR�tdp<pLpL��/usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-redact-linux/lib/ld-linux-x86-64.so.20GNU���GNU�u	�/
�U�Pg��V��GNU1
	
�`P�< DhPd�1V8x��UX Ko]>��Lg }!`P"�XPexit__cxa_finalizesetlocale__libc_start_mainsetbufcloseerrorstdoutargp_helpfprintfopen64textdomainasprintfreadprogram_invocation_short_nameargp_parseargp_program_version_hook__errno_location__dcgettext_libc_intl_domainname__prognamelibc.so.6GLIBC_2.36GLIBC_ABI_DT_RELRGLIBC_2.34GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable����B����%ui	0�O�O�O�O�O�L`PhPPOD!XOT!`Od!hOt!pO	�!xO
�!�O�!�O�!�O
�!�O�!�O�!�O�!�O"�O"�O$"�O4"pLG�W��H��H��/H��t��H����5/�%/@��h���f���h����f���h����f���h���f���h���f���h���f���h���f���h�r���f���h�b���f���h	�R���f���h
�B���f���h�2���f���h�"���f���h
����f���h����f���h��f����%�.fD���%.fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD���%�-fD��AUL�-�-ATI��H�5�
UH�-*S���H��(���H������E1�L�D$1�L���L������HcD$9���P9��I�<�1�1��Z����Ã���H�t$�����9�D$A��A���A��ްuȉD$=��ti=���H�l$L�-^�'@H�T$H�t$A��ްuH�H�L��1��E���1ɺH�������uȉ��9���H��(1�[]A\A]�H�l$L�-��%fD�T$�t$A��ްu��L��1����1ɺH����h��u��1�����H�
�,H�5�,L��������V����H�5�H������H���J���H�ڿ�01������H�5}H�����1��H��1���@��1�I��^H��H���PTE1�1�H�=��{+�f.�H�=�+H��+H9�tH�^+H��t	�����H�=�+H�5�+H)�H��H��?H��H�H�tH�-+H��t��fD�����=�+u+UH�=
+H��tH�=+�9����d����m+]������w������SH�
�
1�H��H��
H�5�
����H�5�1��	���H��H��
H��1��e����H�5�
1����H��H��
[H��1��=���ff.�f���H��H��H�D$��tH����1��H�5����H�|$H��H��1������xH�D$H��Ð1��ff.��AWAVAUL�,ATUSH��L9�sFA��I��A��H��DL��H)��
����8u>H��H��D���H���H���t�H��x%t`H�L9�r˸H��[]A\A]A^A_���H�5�	E��uH�5�	H�=9&����H�����H�ڿ�01��[���I9�u1�A��u��H�5"E��uH�5>H�=�%����1��H��1�����f�����ut�ÐH��H�==)1��>���1�H�����H��H���2.39(GNU libc) pcprofiledump %s%s
2024Written by %s.
Ulrich Dreppercannot read headercannot read pointer paircannot open input fileinvalid pointer size[FILE]unbufferedDon't buffer outputCopyright (C) %s Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
For bug reporting instructions, please see:
%s.
<https://www.gnu.org/software/libc/bugs.html>unexpected end of file in headerunexpected end of file in pointer pairthis = %#010x, caller = %#010x
this = %#018lx, caller = %#018lx
Dump information generated by PC profiling.;P	T��d��t��t�|d�lT����D�D�dzRx���&D$4��FJw�?9*3$"\��t���p�sE�d���dH X
Hv
BH�$�B�B�B �F(�A0�A8�D@T
8A0A(B BBBH��)TT8,���F�I�K �H(�KP�
(C ABBA%�$�0u�0� 
<'pLxL�`�
�p@!pp8O�(h�	���o���o���o�o�$�#%�L0 @ P ` p � � � � � � � � !! !P�L'�0�2�% %GCC: (GNU) 13.3.0�| ��- %s;�%dE&�R')\ P8a�L`i�0n�2,r�}`$�$��$�pP�xL�%�pLr��4��L�208OF`P]z� �hP9 P��`PF�<'�]� 7PD\p P�0�xP=0$&��`P���@"���L9J`PV p!`P�"�
 �XPabi-note.c__abi_taginit.cpcprofiledump.cprint_versionmore_helpread_exactlyparse_optargpoptionsargs_doccrtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entry__FRAME_END___DYNAMIC__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE___progname@GLIBC_2.2.5__libc_start_main@GLIBC_2.34__errno_location@GLIBC_2.2.5_ITM_deregisterTMCloneTablestdout@GLIBC_2.2.5textdomain@GLIBC_2.2.5_edata_finisetbuf@GLIBC_2.2.5close@GLIBC_2.2.5read@GLIBC_2.2.5argp_parse@GLIBC_2.2.5__data_start__dcgettext@GLIBC_2.2.5fprintf@GLIBC_2.2.5__gmon_start____dso_handle_IO_stdin_used_endargp_help@GLIBC_2.2.5__bss_startasprintf@GLIBC_2.2.5setlocale@GLIBC_2.2.5mainopen64@GLIBC_2.2.5error@GLIBC_2.2.5_libc_intl_domainname@GLIBC_2.2.5exit@GLIBC_2.2.5__TMC_END___ITM_registerTMCloneTableprogram_invocation_short_name@GLIBC_2.2.5__cxa_finalize@GLIBC_2.2.5_initargp_program_version_hook.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.relr.dyn.init.plt.got.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.data.rel.ro.dynamic.data.bss.comment#@6XX$I|| W��8]���e``�m���o��6z���oP�hh��B((�����  �    �0!0!�@!@!�@"@"��<'<'
�00� ��2�2T� 3 3h�pLp<�xLx<�L�<e �L�<P�8O8?�P@` `P`@$0`@x@	�F�eJ-
pcprofiledump (21,465 bytes)   

Bun

2025-04-09 08:06

reporter   ~0004210

My friend just tried on his ubuntu machine with version 5.45, that doesn't show this behavior. Might be an issue with my local machine

dawid-sabat

2025-05-09 08:05

reporter   ~0004220

I see similar behavior when installing Yocto generated SDK on Fedora 42 which has file in version 5.46:

0000017 0.780 You are about to install the SDK to "/opt/sdk". Proceed [Y/n]? Y
0000017 0.782 Extracting SDK......................................................done
0000017 3.830 Setting it up...*** buffer overflow detected ***: terminated
0000017 4.016 xargs: file: terminated by signal 6

maggu2810

2025-05-09 11:14

reporter   ~0004221

I run into the same problem with Fedora 42.
I tried to identify what is executed on Yocto SDK installation.
It seems the whole file list is piped to "xargs -n100 file".

I stored the stream that is piped to xargs ... file.
After that I called file for each line until it failed.

cat /tmp/xargs_1746787303_253017901.stdin | while read LINE; do echo $LINE; file $LINE || break; done

/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/ld-linux-x86-64.so.2
/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/ld-linux-x86-64.so.2: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, BuildID[sha1]=14b0e63f5235cec223b71a9b8712efdaaaf47bfd, stripped
/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libBrokenLocale.so.1
/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libBrokenLocale.so.1: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7e6ada133d08d31d21f1c395d8062acd7826dca4, for GNU/Linux 3.2.0, stripped
/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libanl.so.1
/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libanl.so.1: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3d41ade90b40cd3a5e7953597adf09c9fa95a2c6, for GNU/Linux 3.2.0, stripped
/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libc.so.6
*** buffer overflow detected ***: terminated


Here the output of strace:

strace -f -- file /opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libc.so.6
execve("/usr/bin/file", ["file", "/opt/fooOS/tmp/sysroots/x86_64-p"...], 0x7ffff9095648 /* 84 vars */) = 0
brk(NULL) = 0x55ccd2b4b000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f231d1ea000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=154827, ...}) = 0
mmap(NULL, 154827, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f231d1c4000
close(3) = 0
openat(AT_FDCWD, "/lib64/libmagic.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=177248, ...}) = 0
mmap(NULL, 173160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f231d199000
mmap(0x7f231d1b8000, 36864, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1f000) = 0x7f231d1b8000
mmap(0x7f231d1c1000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7f231d1c1000
close(3) = 0
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2607\0\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
fstat(3, {st_mode=S_IFREG|0755, st_size=2448320, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 2038872, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f231cfa7000
mmap(0x7f231d116000, 479232, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16f000) = 0x7f231d116000
mmap(0x7f231d18b000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e3000) = 0x7f231d18b000
mmap(0x7f231d191000, 31832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f231d191000
close(3) = 0
openat(AT_FDCWD, "/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=984352, ...}) = 0
mmap(NULL, 970768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f231ceb9000
mmap(0x7f231cf35000, 458752, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7c000) = 0x7f231cf35000
mmap(0x7f231cfa5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xeb000) = 0x7f231cfa5000
close(3) = 0
openat(AT_FDCWD, "/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\0\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=140848, ...}) = 0
mmap(NULL, 139392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f231ce96000
mmap(0x7f231cead000, 40960, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f231cead000
mmap(0x7f231ceb7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x20000) = 0x7f231ceb7000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f231ce94000
arch_prctl(ARCH_SET_FS, 0x7f231ce950c0) = 0
set_tid_address(0x7f231ce95390) = 88518
set_robust_list(0x7f231ce953a0, 24) = 0
rseq(0x7f231ce95000, 0x20, 0, 0x53053053) = 0
mprotect(0x7f231d18b000, 16384, PROT_READ) = 0
mprotect(0x7f231ceb7000, 4096, PROT_READ) = 0
mprotect(0x7f231cfa5000, 4096, PROT_READ) = 0
mprotect(0x7f231d1c1000, 8192, PROT_READ) = 0
mprotect(0x55cc94f58000, 4096, PROT_READ) = 0
mprotect(0x7f231d226000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f231d1c4000, 154827) = 0
getrandom("\xa0\x4d\x4d\xa0\x0a\xcb\x2d\x78", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55ccd2b4b000
brk(0x55ccd2b6c000) = 0x55ccd2b6c000
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=233242544, ...}) = 0
mmap(NULL, 233242544, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f230f000000
close(3) = 0
newfstatat(AT_FDCWD, "/home/de23a4/.magic.mgc", 0x7ffd82e901c0, 0) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/home/de23a4/.magic", 0x7ffd82e901c0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/magic.mgc", O_RDONLY) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/etc/magic", {st_mode=S_IFREG|0644, st_size=110, ...}, 0) = 0
openat(AT_FDCWD, "/etc/magic", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=110, ...}) = 0
read(3, "# Magic local data for file(1) c"..., 4096) = 110
read(3, "", 4096) = 0
close(3) = 0
openat(AT_FDCWD, "/usr/share/misc/magic.mgc", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=10356336, ...}) = 0
mmap(NULL, 10356336, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x7f230e600000
close(3) = 0
mprotect(0x7f230e600000, 10356336, PROT_READ) = 0
mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f231d1c9000
openat(AT_FDCWD, "/usr/lib64/gconv/gconv-modules.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=27012, ...}) = 0
mmap(NULL, 27012, PROT_READ, MAP_SHARED, 3, 0) = 0x7f231ce8d000
close(3) = 0
futex(0x7f231d19072c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x6), ...}) = 0
mmap(NULL, 7344128, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f230deff000
newfstatat(AT_FDCWD, "/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libc.so.6", {st_mode=S_IFREG|0755, st_size=1925632, ...}, AT_SYMLINK_NOFOLLOW) = 0
openat(AT_FDCWD, "/opt/fooOS/tmp/sysroots/x86_64-pokysdk-linux/lib/libc.so.6", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=1925632, ...}) = 0
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0Q\2\0\0\0\0\0"..., 7340032) = 1925632
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f230de7e000
munmap(0x7f230de7e000, 528384) = 0
lseek(3, 0, SEEK_SET) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 56, 64) = 56
pread64(3, "\3\0\0\0\4\0\0\0@\265\31\0\0\0\0\0@\265\31\0\0\0\0\0@\265\31\0\0\0\0\0"..., 56, 120) = 56
pread64(3, "/opt/fooOS/tmp/sysroots/x86_64-p"..., 2024, 1684800) = 2024
writev(2, [{iov_base="*** ", iov_len=4}, {iov_base="buffer overflow detected", iov_len=24}, {iov_base=" ***: terminated\n", iov_len=17}], 3*** buffer overflow detected ***: terminated
) = 45
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f231d1c8000
gettid() = 88518
getpid() = 88518
tgkill(88518, 88518, SIGABRT) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=88518, si_uid=1000} ---
+++ killed by SIGABRT (core dumped) +++
Aborted (core dumped)

maggu2810

2025-05-09 11:23

reporter   ~0004222

Seems to be a dupliate of 579 (https://bugs.astron.com/view.php?id=579)
I the commit containing the fix for 579 and file does not abort anymore.

Issue History

Date Modified Username Field Change
2025-04-09 07:22 Bun New Issue
2025-04-09 07:22 Bun File Added: pcprofiledump
2025-04-09 08:06 Bun Note Added: 0004210
2025-05-09 08:05 dawid-sabat Note Added: 0004220
2025-05-09 11:14 maggu2810 Note Added: 0004221
2025-05-09 11:23 maggu2810 Note Added: 0004222