99487 2005-07-18 23:16 0000 iproute2 2.6.11.20050330 stack overflow in netem/paretonormal.c 2007-04-12 12:02:46 0000 1 1 1 Unclassified Gentoo Linux Core system unspecified All Linux RESOLVED TEST-REQUEST P2 normal --- 1 dirk.heinrichs.ext@nsn.com base-system@gentoo.org casta@xwing.info castan.o@free.fr creideiki+gentoo-bugzilla@lysator.liu.se david+gentoo.org@blue-labs.org howard_b_golden@yahoo.com ikelos@gentoo.org scottfk@yahoo.com taviso@gentoo.org dirk.heinrichs.ext@nsn.com 2005-07-18 23:16:30 0000 gcc -D_GNU_SOURCE -march=pentium3 -O2 -pipe -fomit-frame-pointer -Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -o paretonormal paretonormal.c -lm ./paretonormal >paretonormal.dist paretonormal: stack smashing attack in function main() /bin/sh: line 1: 3238 Aborted ./paretonormal >paretonormal.dist make[1]: *** [paretonormal.dist] Error 134 make[1]: Leaving directory `/gentoo/build/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem' make: *** [all] Error 2 !!! ERROR: sys-apps/iproute2-2.6.11.20050330 failed. Reproducible: Always Steps to Reproduce: emerge iproute2 Actual Results: Portage 2.0.51.22-r1 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r0, 2.6.11.12 i686) ================================================================= System uname: 2.6.11.12 i686 Pentium III (Katmai) Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5, 2.4.1-r1 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer" DISTDIR="/gentoo/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo.osuosl.org" LINGUAS="de" MAKEOPTS="" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/gentoo/build" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X Xaw3d acl alsa arts athena autofs avi bash-completion berkdb bitmap-fonts bzlib caps cdr crypt cups dga dlloader dnd emacs emboss encode exif fam fbcon font-server foomaticdb gif gpm gtk gtk2 hardened imagemagick imap imlib jpeg kde kdexdeltas largeterminal lcms ldap libg++ libwww logitech-mouse maildir mbox mcal motif mozcalendar moznocompose moznoirc mozsvg mp3 mpeg mule ncurses nls nntp nodroproot nptl nptlonly ogg oggvorbis ooo-kde opengl pam parse-clocks pcre pdflib perl perlsuid pic pie png posix ppds pwdb python qt quicktime readline samba sasl savedconfig serial slang smime socks5 spell sse ssl swig symlink tcltk tcpd tetex threads tiff truetype truetype-fonts type1-fonts usb vim-with-x vorbis wmf wxwindows xml2 xprint xv zlib linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS casta@xwing.info 2005-07-19 02:08:12 0000 Same error here but with a grsec/hardened system : ./paretonormal >paretonormal.dist paretonormal: stack smashing attack in function main() Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to /var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0 Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to /var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0 =========================== Portage 2.0.51.22-r1 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r0, 2.6.11-xwing-r3 i686) ================================================================= System uname: 2.6.11-xwing-r3 i686 Intel(R) Celeron(R) CPU 2.53GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.4.1-r1 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg candy ccache distlocks sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/ http://ftp.gentoo.skynet.be/pub/gentoo/ http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" LANG="fr_FR.UTF-8" LC_ALL="fr_FR.UTF-8" LINGUAS="fr" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 4kstacks X509 acl acpi acpi4linux apache2 bash-completion berkdb clamav crypt dba dbx dga dlloader enscript extensions fbcon freetype fs gd gdbm gif hardened idled imagemagick imap imlib2 ipv6 ithreads jpeg maildir md5sum mmx mysql ncurses nls nptl nptlonly pam perl pic png prelude print python readline rrdtool samba sasl slang smartcard sqlite sse sse2 ssl tcpd threads tiff truetype truetype-fonts type1 type1-fonts unicode usb userlocales xml2 zlib linguas_fr userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, MAKEOPTS solar@gentoo.org 2005-07-19 05:01:26 0000 paretonormal.c:58:Bounds error: array reference (16384) outside bounds of the array. paretonormal.c:58: Pointer value: 0x5897e5d0 paretonormal.c:58: Object `table': paretonormal.c:58: Address in memory: 0x5895e5d0 .. 0x5897e5cf paretonormal.c:58: Size: 131072 bytes paretonormal.c:58: Element size: 8 bytes paretonormal.c:58: Number of elements: 16384 paretonormal.c:58: Created at: paretonormal.c, line 54 paretonormal.c:58: Storage class: stack ----------------------------------- solar@gentoo.org 2005-07-19 05:04:26 0000 Created an attachment (id=63771) iproute2-paretonormal-overflow.patch patch to keep paretonormal from overflowing on itself. solar@gentoo.org 2005-07-19 05:08:53 0000 Taviso here is a local stack overflow. solar@gentoo.org 2005-07-19 05:25:36 0000 Here is another one. maketable.c:152:Bounds error: attempt to reference memory overrunning the end of an object. maketable.c:152: Pointer value: 0x14049000, Size: 2 maketable.c:152: Object `malloc': maketable.c:152: Address in memory: 0x14047000 .. 0x14048fff maketable.c:152: Size: 8192 bytes maketable.c:152: Element size: 1 bytes maketable.c:152: Number of elements: 8192 maketable.c:152: Created at: maketable.c, line 141 maketable.c:152: Storage class: heap vapier@gentoo.org 2005-07-19 19:04:04 0000 latest snapshot (dated Jun 06) seems to have this issue too e-mailed iproute2 dev about the issue vapier@gentoo.org 2005-07-19 19:05:14 0000 just to note, this isnt a security issue because none of the netem utilites are actually installed ... they are used to generate some data tables and the tables are installed gentoo-bugs@seyffer.de 2005-08-08 08:25:54 0000 Solar, your patch works fine here. Thanks. :) jontodaro@gmail.com 2005-08-09 13:35:04 0000 Any date when this will be implemented into the portage tree? vapier@gentoo.org 2005-08-09 15:33:52 0000 i expected to hear back from the iproute2 maintainer but that hasnt happened ... ive added the patch here to the build but that still doesnt address maketable.c scottfk@yahoo.com 2005-08-19 09:15:57 0000 Created an attachment (id=66325) an ebuild for the latest iproute2 release The latest release from http://developer.osdl.org/dev/iproute2/download/ with the same Gentoo patches as iproute2-2.6.11.20050330.ebuild. scottfk@yahoo.com 2005-08-19 09:17:29 0000 I've posted an ebuild for the latest (050816) release of iproute2. It compiles clean for me. Maybe this is what the iproute2 maintainer has been waiting for, an upstream fix. jakub@gentoo.org 2007-04-01 20:47:04 0000 Stale bug, reopen if you have the same problem w/ uptodate versions. Thanks. 63771 2005-07-19 05:04 0000 iproute2-paretonormal-overflow.patch iproute2-paretonormal-overflow.patch text/plain LS0tIG5ldGVtL3BhcmV0b25vcm1hbC5jCTIwMDUtMDctMTkgMDc6NTg6MjYuMDAwMDAwMDAwIC0w NDAwCisrKyBuZXRlbS9wYXJldG9ub3JtYWwuYwkyMDA1LTA3LTE5IDA3OjU5OjAxLjAwMDAwMDAw MCAtMDQwMApAQCAtNTUsNiArNTUsNyBAQAogCiAJZm9yICh4ID0gLTEwLjA7IHggPCAxMC4wNTsg eCArPSAuMDAwMDUpIHsKIAkJaSA9IHJpbnQoVEFCTEVTSVpFKm5vcm1hbCh4LCAwLjAsIDEuMCkp OworCQlpZiAoaSA+PSBUQUJMRVNJWkUpIGJyZWFrOwogCQl0YWJsZVtpXSA9IHg7CiAJfQogCXBy aW50ZigK 66325 2005-08-19 09:15 0000 an ebuild for the latest iproute2 release iproute2-050816.ebuild text/plain aW5oZXJpdCBldXRpbHMgdG9vbGNoYWluLWZ1bmNzCgpERVNDUklQVElPTj0ia2VybmVsIHJvdXRp bmcgYW5kIHRyYWZmaWMgY29udHJvbCB1dGlsaXRpZXMiCkhPTUVQQUdFPSJodHRwOi8vZGV2ZWxv cGVyLm9zZGwub3JnL2Rldi9pcHJvdXRlMi8iClNSQ19VUkk9Imh0dHA6Ly9kZXZlbG9wZXIub3Nk bC5vcmcvZGV2L2lwcm91dGUyL2Rvd25sb2FkLyR7UE59LSR7UFZ9LnRhci5neiIKCkxJQ0VOU0U9 IkdQTC0yIgpTTE9UPSIwIgpLRVlXT1JEUz0ifmFscGhhIH5hbWQ2NCB+YXJtIH5ocHBhIH5pYTY0 IH5taXBzIH5wcGMgfnBwYzY0IH5zMzkwIH5zcGFyYyB+eDg2IgpJVVNFPSJhdG0gYmVya2RiIG1p bmltYWwiCgpSREVQRU5EPSIhbWluaW1hbD8gKCBiZXJrZGI/ICggc3lzLWxpYnMvZGIgKSApCglh dG0/ICggbmV0LWRpYWx1cC9saW51eC1hdG0gKSIKREVQRU5EPSIke1JERVBFTkR9Cgk+PXZpcnR1 YWwvb3MtaGVhZGVycy0yLjQuMjEiCgpTPSR7V09SS0RJUn0vJHtQTn0tJHtQVn0KCnNyY191bnBh Y2soKSB7Cgl1bnBhY2sgJHtBfQoJY2QgIiR7U30iCglzZWQgLWkgLWUgInM6LU8yOiR7Q0ZMQUdT fToiIE1ha2VmaWxlIHx8IGRpZSAic2VkIE1ha2VmaWxlIGZhaWxlZCIKCWVwYXRjaCAiJHtGSUxF U0RJUn0iL2lwcm91dGUyLTIuNi4xMS4yMDA1MDMzMC1zdGFjay5wYXRjaAoJIzY4OTQ4IC0gZXNm cS93cnIgcGF0Y2hlcwoJZXBhdGNoIFwKCQkiJHtGSUxFU0RJUn0iLzIuNi4xMi1yYzEtZXNmcS5w YXRjaCBcCgkJIiR7RklMRVNESVJ9Ii9pcHJvdXRlMi0yLjYuMTEuMjAwNTAzMzAtd3JyLnBhdGNo CgkjIGRvbid0IGJ1aWxkIGFycGQgaWYgVVNFPS1iZXJrZGIgIzgxNjYwCgl1c2UgYmVya2RiIHx8 IHNlZCAtaSAnL15UQVJHRVRTPS9zOiBhcnBkIDogOicgbWlzYy9NYWtlZmlsZQoJIyBNdWx0aWxp YiBmaXhlcwoJc2VkIC1pICdzOi91c3IvbG9jYWw6L3VzcjonIHRjL21faXB0LmMKCXNlZCAtaSAi czovdXNyL2xpYi90YzovdXNyLyQoZ2V0X2xpYmRpcikvdGM6ZyIgXAoJCXRjL01ha2VmaWxlIHRj L3RjLmMgdGMvcV9uZXRlbS5jIHx8IGRpZQp9CgpzcmNfY29tcGlsZSgpIHsKCWVjaG8gLW4gJ1RD X0NPTkZJR19BVE06PScgPiBDb25maWcKCXVzZSBhdG0gXAoJCSYmIGVjaG8gJ3knID4+IENvbmZp ZyBcCgkJfHwgZWNobyAnbicgPj4gQ29uZmlnCgoJbG9jYWwgU1VCRElSUz0ibGliIGlwIHRjIG1p c2MgbmV0ZW0iCgl1c2UgbWluaW1hbCAmJiBTVUJESVJTPSJsaWIgdGMiCgllbWFrZSBcCgkJQ0M9 IiQodGMtZ2V0Q0MpIiBcCgkJQVI9IiQodGMtZ2V0QVIpIiBcCgkJU1VCRElSUz0iJHtTVUJESVJT fSIgXAoJCXx8IGRpZSAibWFrZSIKfQoKc3JjX2luc3RhbGwoKSB7CglpZiB1c2UgbWluaW1hbDsg dGhlbgoJCWludG8gLwoJCWRvc2JpbiB0Yy90YyB8fCBkaWUgIm1pbmltYWwiCgkJcmV0dXJuIDAK CWZpCgoJbWFrZSBcCgkJREVTVERJUj0iJHtEfSIgXAoJCVNCSU5ESVI9L3NiaW4gXAoJCURPQ0RJ Uj0vdXNyL3NoYXJlL2RvYy8ke1BGfSBcCgkJaW5zdGFsbCBcCgkJfHwgZGllICJtYWtlIGluc3Rh bGwgZmFpbGVkIgoJaWYgdXNlIGJlcmtkYiA7IHRoZW4KCQkjIGJ1ZyA0NzQ4MiwgYXJwZCBkb2Vz bid0IG5lZWQgdG8gYmUgaW4gL3NiaW4KCQlkb2RpciAvdXNyL3NiaW4KCQltdiAiJHtEfSIvc2Jp bi9hcnBkICIke0R9Ii91c3Ivc2Jpbi8KCWZpCn0K