Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379369 - net-analyzer/wireshark-1.4.8: crash in dumpcap
Summary: net-analyzer/wireshark-1.4.8: crash in dumpcap
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: Highest normal (vote)
Assignee: Peter Volkov (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-16 11:01 UTC by Alex Efros
Modified: 2012-08-02 15:21 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
wireshark-cap_dac_read_search.patch (wireshark-cap_dac_read_search.patch,410 bytes, patch)
2012-08-02 12:01 UTC, Mira Ressel
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Efros 2011-08-16 11:01:03 UTC
On my system wireshark crash on start every time (probably latest working version was 1.4.6 or 1.4.7, not sure) with:

2011-08-16_10:38:11.39824 kern.info: dumpcap[13901]: segfault at 4 ip 9f947db6 sp b2ba1868 error 6 in libc-2.12.2.so[9f8b7000+14c000]
2011-08-16_10:38:11.39828 kern.alert: grsec: Segmentation fault occurred at 00000004 in /usr/bin/dumpcap[dumpcap:13901] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/wireshark[wireshark:13898] uid/euid:1000/1000 gid/egid:100/100
2011-08-16_10:38:11.39829 kern.alert: grsec: bruteforce prevention initiated against uid 1000, banning for 15 minutes

It may be important to note I didn't enabled "SECURITY_FILE_CAPABILITIES and <FS>_FS_SECURITY" in kernel so dumpcap is SUID on my system (and my account is in wireshark group).



Portage 2.1.10.3 (hardened/linux/x86, gcc-4.4.5, glibc-2.12.2-r0, 2.6.39-hardened-r8 i686)
=================================================================
System uname: Linux-2.6.39-hardened-r8-i686-Intel-R-_Core-TM-2_CPU_6600_@_2.40GHz-with-gentoo-2.0.3
Timestamp of tree: Mon, 15 Aug 2011 08:30:01 +0000
app-shells/bash:          4.1_p9
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.1-r1, 3.1.3-r1
dev-util/cmake:           2.8.4-r1
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.4
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:       2.20.1-r1
sys-devel/gcc:            4.4.5
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82
sys-kernel/linux-headers: 2.6.36.1 (virtual/os-headers)
sys-libs/glibc:           2.12.2
Repositories: gentoo kde-sunset vmware powerman local
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=prescott -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/icedtea6-bin-1.10.3/jre/lib/i386/jvm.cfg /service /usr/inferno/keydb /usr/inferno/lib /usr/inferno/services /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/log /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=prescott -O2 -pipe"
DISTDIR="/usr/portage-distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS=""
GENTOO_MIRRORS="ftp://ftp.df.lth.se/pub/gentoo/ http://ftp.df.lth.se/pub/gentoo/ http://gentoo.telcom.net.ua/"
LANG="ru_RU.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en ru"
MAKEOPTS="-j1"
PKGDIR="/usr/portage-packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude ChangeLog --delete-excluded"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/kde-sunset /var/lib/layman/vmware /var/lib/layman/powerman /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X Xaw3d a52 aac acl acpi aim alsa apache2 asf avi bash-completion berkdb bitmap-fonts bzip2 cddb cdr chm cli consolekit cracklib crypt cscope cue curl cxx dbus device-mapper dga divx4linux djvu dlloader dri dts dvd dvdr dvdread encode fastcgi ffmpeg flac flash gd gdbm gif gnutls gpg gtk gtk2 hardened hddtemp iconv icq idn imagemagick imap imlib irc jabber javascript jpeg jpeg2k kde lm_sensors lzo mad mailbox mbox mmx mng modules motif mp3 mpeg msn mudflap musepack mysql ncurses network-cron nls nptl nptlonly nsplugin ogg opengl openmp oss pam pcre perl pic png policykit pppd pwdb python qt qt3support qt4 quicktime readline rss rtc samba sdl session spell sse sse2 sse3 ssl ssse3 svg sysfs tcltk tcpd theora tiff truetype truetype-fonts type1-fonts udev unicode urandom vdpau vim-pager vim-syntax vim-with-x vorbis wavpack win32codecs x264 x86 xinetd xorg xv xvid xvmc yahoo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en ru" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia nv fbdev vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Comment 1 Alex Efros 2011-08-16 11:49:03 UTC
I've tried 1.4.7 and 1.4.6, and they all crash with similar error.

I've enabled CONFIG_EXT3_FS_SECURITY, reinstalled 1.4.8 and got same error:

2011-08-16_11:44:44.18715 kern.info: dumpcap[22030]: segfault at 4 ip af27cdb6 sp bc555878 error 6 in libc-2.12.2.so[af1ec000+14c000]
2011-08-16_11:44:44.18720 kern.alert: grsec: Segmentation fault occurred at 00000004 in /usr/bin/dumpcap[dumpcap:22030] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/wireshark[wireshark:22027] uid/euid:1000/1000 gid/egid:100/100

Also looks like everything works when wireshark is running as root (tried 1.4.6 SUID and 1.4.8 non-SUID with EXT3_FS_SECURITY).
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-10-02 19:14:23 UTC
Thank you for report. Please, try upgrade to 1.6.2 and reproduce this problem.
Comment 3 Alex Efros 2011-10-03 00:57:41 UTC
(In reply to comment #2)
> Thank you for report. Please, try upgrade to 1.6.2 and reproduce this problem.

1.6.2 have same issue:

kern.info: dumpcap[19199]: segfault at 4 ip a79338d2 sp bd8d9dc8 error 6 in libc-2.12.2.so[a78a0000+14f000]
kern.alert: grsec: Segmentation fault occurred at 00000004 in /usr/bin/dumpcap[dumpcap:19199] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/wireshark[wireshark:19196] uid/euid:1000/1000 gid/egid:100/100

Installed as SUID. Works ok when running as root. I.e. everything is same as for previous versions.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2011-12-12 06:34:02 UTC
"bruteforce prevention initiated against uid 1000, banning for 15 minutes"

I guess this means some hardened feature kill wireshark and thus kernel upgrade could expose this feature, not wireshark. Could you try reinstall 1.4.7 or 1.4.6 to see if it works (just cp 1.4.x ebuild and run repoman manifest)?
Comment 5 Alex Efros 2011-12-16 06:23:57 UTC
(In reply to comment #4)
> "bruteforce prevention initiated against uid 1000, banning for 15 minutes"
> 
> I guess this means some hardened feature kill wireshark and thus kernel upgrade
> could expose this feature, not wireshark. Could you try reinstall 1.4.7 or
> 1.4.6 to see if it works (just cp 1.4.x ebuild and run repoman manifest)?

This behavior was triggered by CONFIG_GRKERNSEC_KERN_LOCKOUT. I've disabled it, so now I've only segfault on dumpcap, without killing all my user's processes.
When dumpcap run as root, it works fine, segfault only for non-root users.

I've already tried 1.4.6 and 1.4.7 without success, see comment #1 above.
Comment 6 Alex Efros 2012-01-28 02:13:47 UTC
Okay, thanks to pageexec help in hardened maillist I was able to identify this issue:

> #0  0xb749f152 in __readdir64 (dirp=0x0) at ../sysdeps/unix/readdir.c:45
>         dp = <optimized out>
>         saved_errno = <optimized out>
> #1  0xb759d7ea in scan_sys_class_net (devlistp=0xbfffe488, 
>     errbuf=0xbfffe4dc "tun0: You don't have permission to capture on that device (socket: Operation not permitted)") at ./pcap-linux.c:1832
>         sys_class_net_d = 0x0

Looks like bug in libpcap-1.1.1-r1:
    pcap-linux.c:1816:

        sys_class_net_d = opendir("/sys/class/net");
        if (sys_class_net_d == NULL && errno == ENOENT)
                return (0);
        ...
        for (;;) {
                errno = 0;
                ent = readdir(sys_class_net_d);

the second line with if looks just plain wrong. Moreover, as far as I see,
in libpcap-1.2.1 they've already fixed this:
    pcap-linux.c:1949:

        sys_class_net_d = opendir("/sys/class/net");
        if (sys_class_net_d == NULL) {
                if (errno == ENOENT)
                        return (0);
                (void)snprintf(errbuf, PCAP_ERRBUF_SIZE,
                    "Can't open /sys/class/net: %s", pcap_strerror(errno));
                return (-1);
        }

So, I'm going to upgrade libpcap to latest ~x86 version and see is this
really fix this bug… Okay, here it is:

$ dumpcap
dumpcap: Can't get list of interfaces: Can't open /sys/class/net: Permission denied

So, wireshark still doesn't work on hardened under non-root, but doesn't
crash anymore, that's a big progress.
Comment 7 Alex Efros 2012-02-10 07:15:49 UTC
(In reply to comment #6)
> $ dumpcap
> dumpcap: Can't get list of interfaces: Can't open /sys/class/net: Permission
> denied
> 
> So, wireshark still doesn't work on hardened under non-root, but doesn't
> crash anymore, that's a big progress.

This one can be worked around by disabling CONFIG_GRKERNSEC_SYSFS_RESTRICT. Also, when this option disabled dumpcap won't crash with libpcap-1.1.1-r1.

Next one issue was:
$ dumpcap
dumpcap: Can't get list of interfaces: Can't open netlink socket 93:Protocol not supported

This one solved by enabling in kernel CONFIG_NF_CT_NETLINK.

Actually I think it needs CONFIG_NETFILTER_NETLINK, but to enable that one we have to enable one of three other options, and all of them have nothing with dumping packets at a glance.

NOW wireshark able to run as non-root!

I'm not sure is it better to fix the code to not requiring these kernel options (I'm pretty sure it's possible to list available network interfaces without using /sys/class/net and NETLINK), or add warning into ebuild about requiring these kernel options.
Comment 8 Mira Ressel 2012-08-02 12:01:36 UTC
I encounter the same problem with wireshark-1.8.1 (useflag +caps): dumpcap fails
because it can't read /sys/class/net on my hardened system. As Alex Efros
already mentioned, one workaround would be to disable
CONFIG_GRKERNSEC_SYSFS_RESTRICT in the kernel. But I found another, more secure
workaround: If dumpcap had the capability dac_read_search, it could read the
directory. Could you apply the attached ebuild patch to achieve that?
Comment 9 Mira Ressel 2012-08-02 12:01:48 UTC
Created attachment 320044 [details, diff]
wireshark-cap_dac_read_search.patch
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-02 15:21:28 UTC
Fixed in 1.6.9-r1 and 1.8.1-r1. Thanks for reporting and for the patch.