Summary: | iproute2 2.6.11.20050330 stack overflow in netem/paretonormal.c | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Dirk Heinrichs <dirk.heinrichs.ext> |
Component: | [OLD] Core system | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED TEST-REQUEST | ||
Severity: | normal | CC: | casta, castan.o, creideiki+gentoo-bugzilla, david+gentoo.org, howard_b_golden, ikelos, scottfk, taviso |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
iproute2-paretonormal-overflow.patch
an ebuild for the latest iproute2 release |
Description
Dirk Heinrichs
2005-07-18 23:16:30 UTC
Same error here but with a grsec/hardened system : ./paretonormal >paretonormal.dist paretonormal: stack smashing attack in function main() Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to /var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0 Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to /var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0 =========================== Portage 2.0.51.22-r1 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r0, 2.6.11-xwing-r3 i686) ================================================================= System uname: 2.6.11-xwing-r3 i686 Intel(R) Celeron(R) CPU 2.53GHz Gentoo Base System version 1.6.13 dev-lang/python: 2.4.1-r1 sys-apps/sandbox: 1.2.11 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg candy ccache distlocks sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/ http://ftp.gentoo.skynet.be/pub/gentoo/ http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/" LANG="fr_FR.UTF-8" LC_ALL="fr_FR.UTF-8" LINGUAS="fr" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 4kstacks X509 acl acpi acpi4linux apache2 bash-completion berkdb clamav crypt dba dbx dga dlloader enscript extensions fbcon freetype fs gd gdbm gif hardened idled imagemagick imap imlib2 ipv6 ithreads jpeg maildir md5sum mmx mysql ncurses nls nptl nptlonly pam perl pic png prelude print python readline rrdtool samba sasl slang smartcard sqlite sse sse2 ssl tcpd threads tiff truetype truetype-fonts type1 type1-fonts unicode usb userlocales xml2 zlib linguas_fr userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LDFLAGS, MAKEOPTS paretonormal.c:58:Bounds error: array reference (16384) outside bounds of the array. paretonormal.c:58: Pointer value: 0x5897e5d0 paretonormal.c:58: Object `table': paretonormal.c:58: Address in memory: 0x5895e5d0 .. 0x5897e5cf paretonormal.c:58: Size: 131072 bytes paretonormal.c:58: Element size: 8 bytes paretonormal.c:58: Number of elements: 16384 paretonormal.c:58: Created at: paretonormal.c, line 54 paretonormal.c:58: Storage class: stack ----------------------------------- Created attachment 63771 [details, diff]
iproute2-paretonormal-overflow.patch
patch to keep paretonormal from overflowing on itself.
Taviso here is a local stack overflow. Here is another one. maketable.c:152:Bounds error: attempt to reference memory overrunning the end of an object. maketable.c:152: Pointer value: 0x14049000, Size: 2 maketable.c:152: Object `malloc': maketable.c:152: Address in memory: 0x14047000 .. 0x14048fff maketable.c:152: Size: 8192 bytes maketable.c:152: Element size: 1 bytes maketable.c:152: Number of elements: 8192 maketable.c:152: Created at: maketable.c, line 141 maketable.c:152: Storage class: heap latest snapshot (dated Jun 06) seems to have this issue too e-mailed iproute2 dev about the issue just to note, this isnt a security issue because none of the netem utilites are actually installed ... they are used to generate some data tables and the tables are installed Solar, your patch works fine here. Thanks. :) Any date when this will be implemented into the portage tree? i expected to hear back from the iproute2 maintainer but that hasnt happened ... ive added the patch here to the build but that still doesnt address maketable.c Created attachment 66325 [details] an ebuild for the latest iproute2 release The latest release from http://developer.osdl.org/dev/iproute2/download/ with the same Gentoo patches as iproute2-2.6.11.20050330.ebuild. I've posted an ebuild for the latest (050816) release of iproute2. It compiles clean for me. Maybe this is what the iproute2 maintainer has been waiting for, an upstream fix. Stale bug, reopen if you have the same problem w/ uptodate versions. Thanks. |