Bug 99487 - iproute2 2.6.11.20050330 stack overflow in netem/paretonormal.c
Bug#: 99487 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: TEST-REQUEST Assigned To: base-system@gentoo.org Reported By: dirk.heinrichs.ext@nsn.com
Component: Core system
URL: 
Summary: iproute2 2.6.11.20050330 stack overflow in netem/paretonormal.c
Keywords:  
Status Whiteboard: 
Opened: 2005-07-18 23:16 0000
Description:   Opened: 2005-07-18 23:16 0000 
gcc -D_GNU_SOURCE -march=pentium3 -O2 -pipe -fomit-frame-pointer 
-Wstrict-prototypes -Wall -I../include -DRESOLVE_HOSTNAMES -o paretonormal 
paretonormal.c -lm 
./paretonormal >paretonormal.dist 
paretonormal: stack smashing attack in function main() 
/bin/sh: line 1:  3238 Aborted                 ./paretonormal 
>paretonormal.dist 
make[1]: *** [paretonormal.dist] Error 134 
make[1]: Leaving directory 
`/gentoo/build/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem' 
make: *** [all] Error 2 
 
!!! ERROR: sys-apps/iproute2-2.6.11.20050330 failed. 
 

Reproducible: Always
Steps to Reproduce:
emerge iproute2 
Actual Results:  
 


Portage 2.0.51.22-r1 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r0, 
2.6.11.12 i686) 
================================================================= 
System uname: 2.6.11.12 i686 Pentium III (Katmai) 
Gentoo Base System version 1.6.13 
dev-lang/python:     2.3.5, 2.4.1-r1 
sys-apps/sandbox:    1.2.11 
sys-devel/autoconf:  2.13, 2.59-r7 
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 
sys-devel/binutils:  2.16.1 
sys-devel/libtool:   1.5.18-r1 
virtual/os-headers:  2.6.11-r2 
ACCEPT_KEYWORDS="x86 ~x86" 
AUTOCLEAN="yes" 
CBUILD="i686-pc-linux-gnu" 
CFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/texmf/web2c /etc/env.d" 
CXXFLAGS="-march=pentium3 -O2 -pipe -fomit-frame-pointer" 
DISTDIR="/gentoo/distfiles" 
FEATURES="autoconfig distlocks sandbox sfperms strict" 
GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ 
ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ 
http://ftp.easynet.nl/mirror/gentoo/ 
http://ftp.snt.utwente.nl/pub/os/linux/gentoo 
http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://gentoo.osuosl.org" 
LINGUAS="de" 
MAKEOPTS="" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/gentoo/build" 
PORTDIR="/usr/portage" 
PORTDIR_OVERLAY="/usr/local/portage" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage" 
USE="x86 X Xaw3d acl alsa arts athena autofs avi bash-completion berkdb 
bitmap-fonts bzlib caps cdr crypt cups dga dlloader dnd emacs emboss encode 
exif fam fbcon font-server foomaticdb gif gpm gtk gtk2 hardened imagemagick 
imap imlib jpeg kde kdexdeltas largeterminal lcms ldap libg++ libwww 
logitech-mouse maildir mbox mcal motif mozcalendar moznocompose moznoirc 
mozsvg mp3 mpeg mule ncurses nls nntp nodroproot nptl nptlonly ogg oggvorbis 
ooo-kde opengl pam parse-clocks pcre pdflib perl perlsuid pic pie png posix 
ppds pwdb python qt quicktime readline samba sasl savedconfig serial slang 
smime socks5 spell sse ssl swig symlink tcltk tcpd tetex threads tiff truetype 
truetype-fonts type1-fonts usb vim-with-x vorbis wmf wxwindows xml2 xprint xv 
zlib linguas_de userland_GNU kernel_linux elibc_glibc" 
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS

------- Comment #1 From Guillaume Castagnino 2005-07-19 02:08:12 0000 ------- 
Same error here but with a grsec/hardened system :

./paretonormal >paretonormal.dist
paretonormal: stack smashing attack in function main()
Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to
/var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0
Jul 19 10:43:18 xwing grsec: From 83.197.2.247: signal 6 sent to
/var/tmp/portage/iproute2-2.6.11.20050330/work/iproute2-2.6.11-050330/netem/paretonormal[paretonormal:1419]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:6115] uid/euid:0/0 gid/egid:0/0

===========================

Portage 2.0.51.22-r1 (hardened/x86/2.6, gcc-3.4.4, glibc-2.3.5-r0,
2.6.11-xwing-r3 i686)
=================================================================
System uname: 2.6.11-xwing-r3 i686 Intel(R) Celeron(R) CPU 2.53GHz
Gentoo Base System version 1.6.13
dev-lang/python:     2.4.1-r1
sys-apps/sandbox:    1.2.11
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer -funroll-loops
-pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium4 -O2 -mtune=pentium4 -fomit-frame-pointer
-funroll-loops -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg candy ccache distlocks sandbox sfperms strict
userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/
http://ftp.gentoo.skynet.be/pub/gentoo/
http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/"
LANG="fr_FR.UTF-8"
LC_ALL="fr_FR.UTF-8"
LINGUAS="fr"
PKGDIR="/usr/portage//packages/x86/"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 4kstacks X509 acl acpi acpi4linux apache2 bash-completion berkdb clamav
crypt dba dbx dga dlloader enscript extensions fbcon freetype fs gd gdbm gif
hardened idled imagemagick imap imlib2 ipv6 ithreads jpeg maildir md5sum mmx
mysql ncurses nls nptl nptlonly pam perl pic png prelude print python readline
rrdtool samba sasl slang smartcard sqlite sse sse2 ssl tcpd threads tiff
truetype truetype-fonts type1 type1-fonts unicode usb userlocales xml2 zlib
linguas_fr userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LDFLAGS, MAKEOPTS

------- Comment #2 From solar 2005-07-19 05:01:26 0000 ------- 
paretonormal.c:58:Bounds error: array reference (16384) outside bounds of the
array.
paretonormal.c:58:  Pointer value: 0x5897e5d0
paretonormal.c:58:  Object `table':
paretonormal.c:58:    Address in memory:    0x5895e5d0 .. 0x5897e5cf
paretonormal.c:58:    Size:                 131072 bytes
paretonormal.c:58:    Element size:         8 bytes
paretonormal.c:58:    Number of elements:   16384
paretonormal.c:58:    Created at:           paretonormal.c, line 54
paretonormal.c:58:    Storage class:        stack

-----------------------------------

------- Comment #3 From solar 2005-07-19 05:04:26 0000 ------- 
Created an attachment (id=63771) [details]
iproute2-paretonormal-overflow.patch

patch to keep paretonormal from overflowing on itself.

------- Comment #4 From solar 2005-07-19 05:08:53 0000 ------- 
Taviso here is a local stack overflow.

------- Comment #5 From solar 2005-07-19 05:25:36 0000 ------- 
Here is another one.

maketable.c:152:Bounds error: attempt to reference memory overrunning the end of
an object.
maketable.c:152:  Pointer value: 0x14049000, Size: 2
maketable.c:152:  Object `malloc':
maketable.c:152:    Address in memory:    0x14047000 .. 0x14048fff
maketable.c:152:    Size:                 8192 bytes
maketable.c:152:    Element size:         1 bytes
maketable.c:152:    Number of elements:   8192
maketable.c:152:    Created at:           maketable.c, line 141
maketable.c:152:    Storage class:        heap

------- Comment #6 From SpanKY 2005-07-19 19:04:04 0000 ------- 
latest snapshot (dated Jun 06) seems to have this issue too

e-mailed iproute2 dev about the issue

------- Comment #7 From SpanKY 2005-07-19 19:05:14 0000 ------- 
just to note, this isnt a security issue because none of the netem utilites are
actually installed ... they are used to generate some data tables and the tables
are installed

------- Comment #8 From Daniel Seyffer 2005-08-08 08:25:54 0000 ------- 
Solar, your patch works fine here. Thanks. :)

------- Comment #9 From Jon Todaro 2005-08-09 13:35:04 0000 ------- 
Any date when this will be implemented into the portage tree?

------- Comment #10 From SpanKY 2005-08-09 15:33:52 0000 ------- 
i expected to hear back from the iproute2 maintainer but that hasnt happened
...

ive added the patch here to the build but that still doesnt address maketable.c

------- Comment #11 From scott 2005-08-19 09:15:57 0000 ------- 
Created an attachment (id=66325) [details]
an ebuild for the latest iproute2 release

The latest release from http://developer.osdl.org/dev/iproute2/download/ with
the same Gentoo patches as iproute2-2.6.11.20050330.ebuild.

------- Comment #12 From scott 2005-08-19 09:17:29 0000 ------- 
I've posted an ebuild for the latest (050816) release of iproute2.  It compiles
clean for me.

Maybe this is what the iproute2 maintainer has been waiting for, an upstream fix.

------- Comment #13 From Jakub Moc (RETIRED) 2007-04-01 20:47:04 0000 ------- 
Stale bug, reopen if you have the same problem w/ uptodate versions. Thanks.