gcc -D_GNU_SOURCE -march=pentium3 -O2 -pipe -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -o paretonormal paretonormal.c -lm ./paretonormal >paretonormal.dist paretonormal: stack smashing attack in function main() /bin/sh: line 1: 3238 Aborted ./paretonormal >paretonormal.dist make[1]: *** [paretonormal.dist] Error 134 make[1]: Leaving directory `/gentoo/build/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem' make: *** [all] Error 2 !!! ERROR: sys-apps/iproute2-2.6.11.20050330 failed. Reproducible: Always Steps to Reproduce: emerge iproute2 Actual Results: Portage 2.0.51.22-r1 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r0, 2.6.11.12 i686) ================================================================= System uname: 2.6.11.12 i686 Pentium III (Katmai) Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5, 2.4.1-r1 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer" DISTDIR="/gentoo/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo.osuosl.org" LINGUAS="de" MAKEOPTS="" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/gentoo/build" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X Xaw3d acl alsa arts athena autofs avi bash-completion berkdb bitmap-fonts bzlib caps cdr crypt cups dga dlloader dnd emacs emboss encode exif fam fbcon font-server foomaticdb gif gpm gtk gtk2 hardened imagemagick imap imlib jpeg kde kdexdeltas largeterminal lcms ldap libg++ libwww logitech-mouse maildir mbox mcal motif mozcalendar moznocompose moznoirc mozsvg mp3 mpeg mule ncurses nls nntp nodroproot nptl nptlonly ogg oggvorbis ooo-kde opengl pam parse-clocks pcre pdflib perl perlsuid pic pie png posix ppds pwdb python qt quicktime readline samba sasl savedconfig serial slang smime socks5 spell sse ssl swig symlink tcltk tcpd tetex threads tiff truetype truetype-fonts type1-fonts usb vim-with-x vorbis wmf wxwindows xml2 xprint xv zlib linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS
Same error here but with a grsec/hardened system : ./paretonormal >paretonormal.dist paretonormal: stack smashing attack in function main() Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to /var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0 Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to /var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0 =========================== Portage 2.0.51.22-r1 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r0, 2.6.11-xwing-r3 i686) ================================================================= System uname: 2.6.11-xwing-r3 i686 Intel(R) Celeron(R) CPU 2.53GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.4.1-r1 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg candy ccache distlocks sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/ http://ftp.gentoo.skynet.be/pub/gentoo/ http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" LANG="fr_FR.UTF-8" LC_ALL="fr_FR.UTF-8" LINGUAS="fr" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 4kstacks X509 acl acpi acpi4linux apache2 bash-completion berkdb clamav crypt dba dbx dga dlloader enscript extensions fbcon freetype fs gd gdbm gif hardened idled imagemagick imap imlib2 ipv6 ithreads jpeg maildir md5sum mmx mysql ncurses nls nptl nptlonly pam perl pic png prelude print python readline rrdtool samba sasl slang smartcard sqlite sse sse2 ssl tcpd threads tiff truetype truetype-fonts type1 type1-fonts unicode usb userlocales xml2 zlib linguas_fr userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, MAKEOPTS
paretonormal.c:58:Bounds error: array reference (16384) outside bounds of the array. paretonormal.c:58: Pointer value: 0x5897e5d0 paretonormal.c:58: Object `table': paretonormal.c:58: Address in memory: 0x5895e5d0 .. 0x5897e5cf paretonormal.c:58: Size: 131072 bytes paretonormal.c:58: Element size: 8 bytes paretonormal.c:58: Number of elements: 16384 paretonormal.c:58: Created at: paretonormal.c, line 54 paretonormal.c:58: Storage class: stack -----------------------------------
Created attachment 63771 [details, diff] iproute2-paretonormal-overflow.patch patch to keep paretonormal from overflowing on itself.
Taviso here is a local stack overflow.
Here is another one. maketable.c:152:Bounds error: attempt to reference memory overrunning the end of an object. maketable.c:152: Pointer value: 0x14049000, Size: 2 maketable.c:152: Object `malloc': maketable.c:152: Address in memory: 0x14047000 .. 0x14048fff maketable.c:152: Size: 8192 bytes maketable.c:152: Element size: 1 bytes maketable.c:152: Number of elements: 8192 maketable.c:152: Created at: maketable.c, line 141 maketable.c:152: Storage class: heap
latest snapshot (dated Jun 06) seems to have this issue too e-mailed iproute2 dev about the issue
just to note, this isnt a security issue because none of the netem utilites are actually installed ... they are used to generate some data tables and the tables are installed
Solar, your patch works fine here. Thanks. :)
Any date when this will be implemented into the portage tree?
i expected to hear back from the iproute2 maintainer but that hasnt happened ... ive added the patch here to the build but that still doesnt address maketable.c
Created attachment 66325 [details] an ebuild for the latest iproute2 release The latest release from http://developer.osdl.org/dev/iproute2/download/ with the same Gentoo patches as iproute2-2.6.11.20050330.ebuild.
I've posted an ebuild for the latest (050816) release of iproute2. It compiles clean for me. Maybe this is what the iproute2 maintainer has been waiting for, an upstream fix.
Stale bug, reopen if you have the same problem w/ uptodate versions. Thanks.
