[Debian-med-packaging] Bug#1075990: bamtools corrupts output data on bigendian architectures

Vladimir Petko vpa1977 at gmail.com
Tue Jul 9 04:38:08 BST 2024 

Source: bamtools
Version: 2.5.2+dfsg-4
Severity: normal

Dear Maintainer,

In Ubuntu the autopkgtest fails due to the buffer overflow detected[1]

with the following stack trace:
(gdb) where
#0 __pthread_kill_implementation (threadid=<optimized out>,
signo=signo at entry=6, no_tid=no_tid at entry=0) at pthread_kill.c:44
#1 0x000003fff789fd56 in __pthread_kill_internal (signo=6, threadid=<optimized
out>) at pthread_kill.c:78
#2 0x000003fff784ba90 in __GI_raise (sig=sig at entry=6) at
../sysdeps/posix/raise.c:26
#3 0x000003fff782b4cc in __GI_abort () at abort.c:79
#4 0x000003fff78921f8 in __libc_message_impl (fmt=fmt at entry=0x3fff79a428e "***
%s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:132
#5 0x000003fff792a50c in __GI___fortify_fail (msg=msg at entry=0x3fff79a424a
"buffer overflow detected") at fortify_fail.c:24
#6 0x000003fff7929d38 in __GI___chk_fail () at chk_fail.c:28
#7 0x000003fff792adae in __GI___memcpy_chk (dstpp=dstpp at entry=0x2aa000ab261,
srcpp=srcpp at entry=0x3ffffff99b4, len=len at entry=4, dstlen=dstlen at entry=3) at
memcpy_chk.c:27
#8 0x000003fff7e2b6ba in memcpy (__len=4, __src=0x3ffffff99b4,
__dest=0x2aa000ab261) at /usr/include/s390x-linux-
gnu/bits/string_fortified.h:29
#9 BamTools::SwapEndian_32p (data=0x2aa000ab261 "") at
/usr/src/bamtools-2.5.2+dfsg-5/src/api/BamAux.h:229
#10 BamTools::Internal::BamWriterPrivate::WriteAlignment (this=0x2aa000890d0,
al=...) at
/usr/src/bamtools-2.5.2+dfsg-5/src/api/internal/bam/BamWriter_p.cpp:353
#11 0x000003fff7e1445c in BamTools::Internal::BamWriterPrivate::SaveAlignment
(al=..., this=0x2aa000890d0) at
/usr/src/bamtools-2.5.2+dfsg-5/src/api/internal/bam/BamWriter_p.cpp:263
#12 BamTools::BamWriter::SaveAlignment (this=<optimized out>, alignment=...) at
/usr/src/bamtools-2.5.2+dfsg-5/src/api/BamWriter.cpp:131
#13 0x000002aa00035f08 in BamTools::RevertTool::RevertToolPrivate::Run() ()
#14 0x000002aa0003e3fe in BamTools::RevertTool::Run(int, char**) ()
#15 0x000002aa0001017a in main ()
(gdb) print i
$1 = 17

This is due to the write loop in src/api/internal/bam/BamWriter_p.cpp using
single byte instead of sizeof(uint32_t) increment to swap bytes in the integer
data.

The output file on s390x is corrupted.

[1]
https://objectstorage.prodstack5.canonical.com/swift/v1/AUTH_0f9aae918d5b4744bf7b827671c86842/autopkgtest-
oracular/oracular/s390x/b/bamtools/20240701_175546_4de2a@/log.gz


-- System Information:
Debian Release: trixie/sid
  APT prefers noble-updates
  APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), (100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.0-36-generic (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Debian-med-packaging mailing list