Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 162169 - gnome-base/libgtop Buffer overflow
Summary: gnome-base/libgtop Buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://bugzilla.gnome.org/show_bug.cg...
Whiteboard: A2? [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-15 08:20 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-02-11 10:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-15 08:20:33 UTC 
Liu Qishuai reported a stack overflow in libgtop2 in Launchpad:

https://launchpad.net/bugs/79206

I could reproduce it on Ubuntu feisty on AMD64.
libgtop2 is 2.14.5-0ubuntu1.

Steps to reproduce:
 export dir=$(perl -e " print 's/'x1000;")
 mkdir -p $dir
 cp /bin/sleep $dir
 $dir/sleep 100 &
 gnome-system-monitor

gnome-system-monitor aborts with
*** stack smashing detected ***: gnome-system-monitor terminated
Aborted

A backtrace leads to
(gdb) frame 4
#4 0x00002b24888ee7e6 in glibtop_get_proc_map_s (server=0x2b2488af38a0,
buf=0x7fff23c825e0, pid=9755472)
    at procmap.c:229

I've started to look for the problem:

The problematic code is in sysdeps/linux/procmap.c: glibtop_get_proc_map_s()

155 char line[1024];
[...]
164 char filename [GLIBTOP_MAP_FILENAME_LEN+1];
165
166 glibtop_map_entry *entry;
167
168 if (!fgets(line, sizeof line, maps))
169 break;
170
171 /* 8 arguments */
172 rv = sscanf(line, PROC_MAPS_FORMAT,
173 &start, &end, flags, &offset,
174 &dev_major, &dev_minor, &inode, filename);

GLIBTOP_MAP_FILENAME_LEN is 215 (include/glibtop/procmap.h)
PROC_MAPS_FORMAT is defined as "%16llx-%16llx %4c %16llx %02hx:%02hx %llu%*[
]%[^\n]\n"

maps is /proc/<pid>/smaps and the first line looks in this case like
00400000-00404000 r-xp 00000000 08:07 1849138
/home/michael/tmp/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/[...]

After the sscanf 'filename' contains the filename which is much longer than the
char array and overflows into the stack.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-15 23:45:59 UTC 
Same as bug 162092, you can fill the Whiteboard and maintainer fields please :)
It will help me/us a lot.

Sune, is this local only? not suid?
Comment 2 Mart Raudsepp gentoo-dev 2007-01-16 08:09:06 UTC 
libgtop-2.14.6 is in the tree now, which includes the fix.
Please proceed as you see fit.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2007-01-16 14:33:00 UTC 
thanks leio.

Arches, please test and stable libgtop-2.14.6, thanks
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-01-16 17:16:01 UTC 
ppc stable
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-01-16 18:27:55 UTC 
sparc stable.
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2007-01-16 18:49:11 UTC 
Alpha done.
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2007-01-16 21:51:43 UTC 
amd64 done
Comment 8 Bo Ørsted Andresen (RETIRED) gentoo-dev 2007-01-17 03:29:01 UTC 
1) emerges ok
2) passes collision test
3) works with gnome-system-monitor

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19-suspend2-r1 i686)
=================================================================
System uname: 2.6.19-suspend2-r1 i686 Intel(R) Pentium(R) M processor 1600MHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 17 Jan 2007 00:30:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium-m -Os -pipe -ggdb3"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /lib/modules /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=pentium-m -Os -pipe -ggdb3"
DISTDIR="/opt/distfiles"
FEATURES="autoconfig buildpkg ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms splitdebug strict test userfetch"
GENTOO_MIRRORS="http://mirror.uni-c.dk/pub/gentoo http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo"
LANG="en_GB.utf8"
LINGUAS="da en en_GB"
MAKEOPTS="-j2"
PKGDIR="/opt/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--timeout=60"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/paludis/repositories/gentoo"
PORTDIR_OVERLAY="/var/paludis/repositories/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X aac acpi aiglx alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol asf avahi bash-completion berkdb bitmap-fonts bluetooth branding bzip2 cairo cdr cli cracklib crypt css cups dlloader dri dvd dvdr elibc_glibc emboss encode fam fat fbcon ffmpeg firefox flac fortran gdbm gif gnokii gphoto2 gpm hal i8x0 iconv ieee1394 imagemagick input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics input_devices_void irda irmc isdnlog jfs jpeg kcal kde kdehiddenvisibility kernel_linux lcd libg++ linguas_da linguas_en linguas_en_GB lm_sensors logitech-mouse mad mikmod mmx mmxext mp3 mpeg mplayer msn musicbrainz ncurses network nls nptl nptlonly nsplugin ntfs ogg opengl pam pcre pdf perl png ppds pppd python qt3 quicktime rdesktop readline real reflection reiser4 reiserfs ruby scanner sdl session slp sms spell spl sse sse2 ssl subversion svg svga syslog tcpd test tetex tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_fbdev video_cards_fglrx video_cards_i810 video_cards_radeon video_cards_vesa vim vim-syntax vorbis wifi win32codecs xcomposite xfs xine xml xorg xscreensaver xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-01-17 07:40:12 UTC 
x86 stable
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2007-01-17 07:51:12 UTC 
ppc64 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2007-01-18 07:27:59 UTC 
Stable for HPPA.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-23 09:33:10 UTC 
GLSA 200701-17

thanks everyone

arm/ia64, don't forget to mark stable to benefit from the GLSA