Attachment 36377 Details for Bug 58633 – gdb results on modified ifconfig with local declaration outside while loop - ultimately "fixes" the smash

gdb results on modified ifconfig with local declaration outside while loop - ultimately "fixes" the smash

gdb2.log (text/plain), 4.48 KB, created by Kevin F. Quinn (RETIRED) on 2004-07-28 23:03:09 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kevin F. Quinn (RETIRED)

Created: 2004-07-28 23:03:09 UTC

Size: 4.48 KB

patch

obsolete

>GNU gdb 6.0
>Copyright 2003 Free Software Foundation, Inc.
>GDB is free software, covered by the GNU General Public License, and you are
>welcome to change it and/or distribute copies of it under certain conditions.
>Type "show copying" to see the conditions.
>There is absolutely no warranty for GDB.  Type "show warranty" for details.
>This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".
>
>(gdb) run
>Starting program: /var/tmp/portage/net-tools-1.60-r8/work/net-tools-1.60/ifconfig 
>ifconfig: stack smashing attack in function if_readlist_rep()
>
>Program received signal SIGABRT, Aborted.
>0x0805c8b1 in kill ()
>(gdb) bt full
>#0  0x0805c8b1 in kill ()
>No symbol table info available.
>#1  0x08055453 in __stack_smash_handler ()
>No symbol table info available.
>#2  0x0804fc34 in if_readlist_rep (target=0x80d17c0 "eth_dockh", ife=0x80d17b8)
>    at interface.c:415
>	fh = (FILE *) 0x80d1318
>	buf = "eth_dockh:39435796   27654    0    0    0     0          0         0  1507948   13569    0    0    0     0       0          0\n\000\000H\031\r\bH\000\000\000Í\003\000\000 ÿ\f\b`í\f\b ÿ\f\b ÿ\f\b|ïÿ¿)q\006\b ÿ\f\bÀ\003\000\000\230ïÿ¿`í\f\bÀ\003\000\000\000\000\000\000°ïÿ¿`s\006\bÀ\003\000\000"...
>	err = 0
>#3  0x0804f156 in for_all_interfaces (doit=0x80505a3 <do_if_print>, 
>    cookie=0x80cf0c0) at interface.c:137
>	ife = (struct interface *) 0x80d17b8
>	err = 0
>#4  0x0804829b in if_print (ifname=0x0) at ifconfig.c:111
>	res = 135054224
>#5  0x08048b0b in main (argc=0, argv=0xbffff578) at ifconfig.c:296
>	err = 134639813
>	sa = {sa_family = 5, 
>  sa_data = "\000\000 ü\f\b\004\000\000\000PP\005\b"}
>	sin = {sin_family = 60768, sin_port = 2060, sin_addr = {s_addr = 0}, 
>  sin_zero = "Uâ\006\b\201Q\005\b"}
>	host = "\000\000\000\000`í\f\bû@\f\bP\020\r\bÄòÿ¿UÏ\t\b\200\002", '\0' <repeats 22 times>, "Un\f\b\200\f\r\b(\000\000\000\n\000\000\000ÿÏ\005\bN{\v\b\000\000\000\000\000\000\000\000LD\000\000\016\000\000\000`í\f\b\034\f\r\b\000\000\000\000øòÿ¿nc\a\bî\201\004\b\000\000\000\000\000\000\000\000²öÿ¿º\036\v\b"
>	ap = (struct aftype *) 0x11
>	hw = (struct hwtype *) 0x10
>	ifr = {ifr_ifrn = {ifrn_name = " ÿ\f\b`í\f\b ÿ\f\b ÿ\f\b"}, 
>  ifr_ifru = {ifru_addr = {sa_family = 62064, 
>      sa_data = "ÿ¿)q\006\b ÿ\f\b\200\002\000"}, ifru_dstaddr = {
>      sa_family = 62064, sa_data = "ÿ¿)q\006\b ÿ\f\b\200\002\000"}, 
>    ifru_broadaddr = {sa_family = 62064, 
>      sa_data = "ÿ¿)q\006\b ÿ\f\b\200\002\000"}, ifru_netmask = {
>      sa_family = 62064, sa_data = "ÿ¿)q\006\b ÿ\f\b\200\002\000"}, 
>    ifru_hwaddr = {sa_family = 62064, 
>      sa_data = "ÿ¿)q\006\b ÿ\f\b\200\002\000"}, ifru_flags = -3472, 
>    ifru_ivalue = -1073745296, ifru_mtu = -1073745296, ifru_map = {
>      mem_start = 3221222000, mem_end = 134639913, base_addr = 65440, 
>      irq = 12 '\f', dma = 8 '\b', port = 128 '\200'}, 
>    ifru_slave = "pòÿ¿)q\006\b ÿ\f\b\200\002\000", 
>    ifru_newname = "pòÿ¿)q\006\b ÿ\f\b\200\002\000", 
>    ifru_data = 0xbffff270 "Äòÿ¿UÏ\t\b\200\002"}}
>	goterr = 0
>	didnetmask = 0
>	spp = (char **) 0x80ced60
>	fd = 0
>	sa6 = {sin6_family = 65532, sin6_port = 2060, 
>  sin6_flowinfo = 135069600, sin6_addr = {in6_u = {
>      u6_addr8 = " ÿ\f\b\211\002\000\000!\r\002\000X\020\r\b", u6_addr16 = {
>        65440, 2060, 649, 0, 3361, 2, 4184, 2061}, u6_addr32 = {135069600, 
>        649, 134433, 135073880}}}, sin6_scope_id = 67}
>	ifr6 = {ifr6_addr = {in6_u = {
>      u6_addr8 = "©\017\002\000H\020\r\b\003\000\000\000a~\006\b", 
>      u6_addr16 = {4009, 2, 4168, 2061, 3, 0, 32353, 2054}, u6_addr32 = {
>        135081, 135073864, 3, 134643297}}}, ifr6_prefixlen = 135069600, 
>  ifr6_ifindex = 135064928}
>	prefix_len = 134643297
>	cp = 0x10 <Address 0x10 out of bounds>
>(gdb) info registers
>eax            0x0	0
>ecx            0x6	6
>edx            0x80ced60	135064928
>ebx            0x6e63	28259
>esp            0xbfffea5c	0xbfffea5c
>ebp            0xbfffee78	0xbfffee78
>esi            0xbfffeb20	-1073747168
>edi            0x0	0
>eip            0x805c8b1	0x805c8b1
>eflags         0x200296	2097814
>cs             0x73	115
>ss             0x7b	123
>ds             0x7b	123
>es             0x7b	123
>fs             0x0	0
>gs             0x0	0
>(gdb) x/8i $pc
>0x805c8b1 <kill+17>:	mov    %edx,%ebx
>0x805c8b3 <kill+19>:	cmp    $0xfffff001,%eax
>0x805c8b8 <kill+24>:	jae    0x805c8bb <kill+27>
>0x805c8ba <kill+26>:	ret    
>0x805c8bb <kill+27>:	push   %ebx
>0x805c8bc <kill+28>:	call   0x804824b <__i686.get_pc_thunk.bx>
>0x805c8c1 <kill+33>:	add    $0x7249f,%ebx
>0x805c8c7 <kill+39>:	xor    %edx,%edx
>(gdb) e quit
>The program is running.  Exit anyway? (y or n)

Actions: View

Attachments on bug 58633: 36375 | 36376 | 36377 | 36378 | 36388 | 36449 | 36457 | 37588