First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 162169
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 162169 depends on: Show dependency tree
Show dependency graph
Bug 162169 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-01-15 08:20 0000 
Liu Qishuai reported a stack overflow in libgtop2 in Launchpad:

https://launchpad.net/bugs/79206

I could reproduce it on Ubuntu feisty on AMD64.
libgtop2 is 2.14.5-0ubuntu1.

Steps to reproduce:
 export dir=$(perl -e " print 's/'x1000;")
 mkdir -p $dir
 cp /bin/sleep $dir
 $dir/sleep 100 &
 gnome-system-monitor

gnome-system-monitor aborts with
*** stack smashing detected ***: gnome-system-monitor terminated
Aborted

A backtrace leads to
(gdb) frame 4
#4 0x00002b24888ee7e6 in glibtop_get_proc_map_s (server=0x2b2488af38a0,
buf=0x7fff23c825e0, pid=9755472)
    at procmap.c:229

I've started to look for the problem:

The problematic code is in sysdeps/linux/procmap.c: glibtop_get_proc_map_s()

155 char line[1024];
[...]
164 char filename [GLIBTOP_MAP_FILENAME_LEN+1];
165
166 glibtop_map_entry *entry;
167
168 if (!fgets(line, sizeof line, maps))
169 break;
170
171 /* 8 arguments */
172 rv = sscanf(line, PROC_MAPS_FORMAT,
173 &start, &end, flags, &offset,
174 &dev_major, &dev_minor, &inode, filename);

GLIBTOP_MAP_FILENAME_LEN is 215 (include/glibtop/procmap.h)
PROC_MAPS_FORMAT is defined as "%16llx-%16llx %4c %16llx %02hx:%02hx %llu%*[
]%[^\n]\n"

maps is /proc/<pid>/smaps and the first line looks in this case like
00400000-00404000 r-xp 00000000 08:07 1849138
/home/michael/tmp/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/[...]

After the sscanf 'filename' contains the filename which is much longer than the
char array and overflows into the stack.

------- Comment #1 From Raphael Marichez 2007-01-15 23:45:59 0000 ------- 
Same as bug 162092, you can fill the Whiteboard and maintainer fields please :)
It will help me/us a lot.

Sune, is this local only? not suid?

------- Comment #2 From Mart Raudsepp 2007-01-16 08:09:06 0000 ------- 
libgtop-2.14.6 is in the tree now, which includes the fix.
Please proceed as you see fit.

------- Comment #3 From Stefan Cornelius (RETIRED) 2007-01-16 14:33:00 0000 ------- 
thanks leio.

Arches, please test and stable libgtop-2.14.6, thanks

------- Comment #4 From Tobias Scherbaum 2007-01-16 17:16:01 0000 ------- 
ppc stable

------- Comment #5 From Gustavo Zacarias (RETIRED) 2007-01-16 18:27:55 0000 ------- 
sparc stable.

------- Comment #6 From Bryan Østergaard (RETIRED) 2007-01-16 18:49:11 0000 ------- 
Alpha done.

------- Comment #7 From Olivier Crete 2007-01-16 21:51:43 0000 ------- 
amd64 done

------- Comment #8 From Bo Ørsted Andresen (RETIRED) 2007-01-17 03:29:01 0000 ------- 
1) emerges ok
2) passes collision test
3) works with gnome-system-monitor

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4,
2.6.19-suspend2-r1 i686)
=================================================================
System uname: 2.6.19-suspend2-r1 i686 Intel(R) Pentium(R) M processor 1600MHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 17 Jan 2007 00:30:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium-m -Os -pipe -ggdb3"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /lib/modules /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo
/etc/texmf/web2c"
CXXFLAGS="-march=pentium-m -Os -pipe -ggdb3"
DISTDIR="/opt/distfiles"
FEATURES="autoconfig buildpkg ccache collision-protect distlocks fixpackages
metadata-transfer parallel-fetch sandbox sfperms splitdebug strict test
userfetch"
GENTOO_MIRRORS="http://mirror.uni-c.dk/pub/gentoo
http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo"
LANG="en_GB.utf8"
LINGUAS="da en en_GB"
MAKEOPTS="-j2"
PKGDIR="/opt/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--timeout=60"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/paludis/repositories/gentoo"
PORTDIR_OVERLAY="/var/paludis/repositories/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X aac acpi aiglx alsa alsa_cards_ali5451 alsa_cards_als4000
alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106
alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371
alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel
alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident
alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem
alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw
alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix
alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty
alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks
alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa
alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter
alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null
alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route
alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol asf avahi
bash-completion berkdb bitmap-fonts bluetooth branding bzip2 cairo cdr cli
cracklib crypt css cups dlloader dri dvd dvdr elibc_glibc emboss encode fam fat
fbcon ffmpeg firefox flac fortran gdbm gif gnokii gphoto2 gpm hal i8x0 iconv
ieee1394 imagemagick input_devices_evdev input_devices_keyboard
input_devices_mouse input_devices_synaptics input_devices_void irda irmc
isdnlog jfs jpeg kcal kde kdehiddenvisibility kernel_linux lcd libg++
linguas_da linguas_en linguas_en_GB lm_sensors logitech-mouse mad mikmod mmx
mmxext mp3 mpeg mplayer msn musicbrainz ncurses network nls nptl nptlonly
nsplugin ntfs ogg opengl pam pcre pdf perl png ppds pppd python qt3 quicktime
rdesktop readline real reflection reiser4 reiserfs ruby scanner sdl session slp
sms spell spl sse sse2 ssl subversion svg svga syslog tcpd test tetex tiff
truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd
video_cards_fbdev video_cards_fglrx video_cards_i810 video_cards_radeon
video_cards_vesa vim vim-syntax vorbis wifi win32codecs xcomposite xfs xine xml
xorg xscreensaver xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS

------- Comment #9 From Christian Faulhammer 2007-01-17 07:40:12 0000 ------- 
x86 stable

------- Comment #10 From Markus Rothe 2007-01-17 07:51:12 0000 ------- 
ppc64 stable

------- Comment #11 From Jeroen Roovers 2007-01-18 07:27:59 0000 ------- 
Stable for HPPA.

------- Comment #12 From Matthias Geerdsen 2007-01-23 09:33:10 0000 ------- 
GLSA 200701-17

thanks everyone

arm/ia64, don't forget to mark stable to benefit from the GLSA
First Last Prev Next    No search results available      Search page      Enter new bug