41422 – lspci -vv Segmentation fault due to lspci: stack smashing attack in function show_agp()

Bug 41422 - lspci -vv Segmentation fault due to lspci: stack smashing attack in function show_agp()

Summary: lspci -vv Segmentation fault due to lspci: stack smashing attack in function...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	x86 All

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-02-12 15:07 UTC by Adrian Almenar
Modified:	2004-09-08 11:30 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
lspci.strace.log (lspci.strace.log,19.84 KB, text/plain) 2004-02-23 21:20 UTC, Adrian Almenar	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Adrian Almenar 2004-02-12 15:07:20 UTC

er-murazor root # lspci -vv
0000:00:00.0 Host bridge: Intel Corp. 82845 845 (Brookdale) Chipset Host Bridge (rev 03)
        Subsystem: GVC/BCM Advanced Research: Unknown device 2147
        Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B-
        Status: Cap+ 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR-
        Latency: 0
        Region 0: Memory at e0000000 (32-bit, prefetchable)
        Capabilities: [e4] #09 [0104]
        Capabilities: [a0] AGP version 2.0
                Status: RQ=32 Iso- ArqSz=0 Cal=0 SBA+ ITACoh- GART64- HTrans- 64bit- FW+ AGP3- Rate=x1,x2,x4
                Command: RQ=1 ArqSz=0 Cal=0 SBA- AGP+ GART64- 64bit- FW- Rate=x4
lspci: stack smashing attack in function show_agp()
Segmentation fault


er-murazor root # emerge info
Portage 2.0.50-r1 (default-x86-1.4, gcc-3.3.2, glibc-2.3.3_pre20040207-r0, 2.6.2-mm1)
=================================================================
System uname: 2.6.2-mm1 i686 Intel(R) Pentium(R) 4 CPU 1600MHz
Gentoo Base System version 1.4.3.13
distcc 2.12.1 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
Autoconf: sys-devel/autoconf-2.59
Automake: sys-devel/automake-1.8.2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer -frename-registers -fstack-protector"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer -frename-registers -fstack-protector"
DISTDIR="/home/distfiles"
FEATURES="autoaddcvs ccache"
GENTOO_MIRRORS="http://gentoo.conectium.com http://gentoo.mirrors.pair.com http://gentoo.linux.no http://gentoo.oregonstate.edu"
MAKEOPTS="-j2"
PKGDIR="/home/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://gentoo.conectium.com/gentoo-portage"
USE="X aalib acpi acpi4linux alsa apache2 apm arts artswrappersuid avi bcel berkdb bidi bsf bsh clamav crypt cscope cups dillo dnd encode ethereal fam foomaticdb freetype gd gdbm gif gpm gstreamer gtk gtk2 imap imlib innodb java javamail jdepend jikes jpeg js jsch junit justify jython kde lcms libwww lids log4j lufsusermount mad maildir md5sum mmx motif mozilla moznocompose moznoirc moznomail mpeg mule mysql ncurses nls nptl offensive oggvorbis opengl openssh optional-tasks oro oss pam pdflib perl pic png ppds python qt quicktime readline regexp samba sasl sdl skey slang slp snmp spell sse ssl svga tcltk tcpd tiff truetype usb vanilla vim-with-x x86 xalan xerces xface xml xml2 xmms xv zlib"

Comment 1 solar (RETIRED) gentoo-dev

2004-02-21 22:45:01 UTC

Adrian,
Sorry nobody has reponded quicker.

--------------------------------------------
Portage 2.0.50_pre22 (default-x86-1.4, gcc-3.3.2, glibc-2.3.3_pre20040117-r1, 2.4.24-grsec-1.9.13)
=================================================================
System uname: 2.4.24-grsec-1.9.13 i686 Intel(R) Pentium(R) 4 CPU 1400MHz
Gentoo Base System version 1.4.3.12
distcc 2.5 i686-pc-linux-gnu (protocol 1) (default port 3632) [disabled]
Autoconf: sys-devel/autoconf-2.59
Automake: sys-devel/automake-1.7.8
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-march=i686 -O3 -pipe -mcpu=pentium4 -fforce-addr  -fPIC -fstack-protector"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-march=i686 -O3 -pipe -mcpu=pentium4 -fforce-addr  -fPIC -fstack-protector"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg ccache cvs flawfinder noauto noautoaddcvs rats sfperms strict strip suidctl usersandbox"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/home/cvsroot/gentoo-x86/"
PORTDIR_OVERLAY=""
SYNC="rsync://192.168.1.1/gentoo-portage"
USE="3dfx X aalib acpi apic apm avi berkdb bonobo cdr clflush cmov crypt cx8 de dts encode esd etdyn evo foomaticdb fpu fxsr gd gdbm gnome gnomedb gpm gtkhtml guile ht imlib jpeg justify ldap libg++ libwww mad mca mce mikmod mmx motif mozilla moznocompose moznoirc moznomail mozxmlterm mpeg msr mtrr mysql ncurses nls oggvorbis opengl oss pae pam pat pdflib perl pge pic pie png prelude pse pse36 python quicktime readline sdl sep slang snmp spell ss sse sse2 ssl svga tcpd tetex tm truetype tsc ungif vme voodoo3 x86 xinerama xml2 xmms xv zlib"
--------------------------------------------
lspci -vv | grep -i agp
00:01.0 PCI bridge: Intel Corp. 82850 850 (Tehama) Chipset AGP Bridge (rev 02) (prog-if 00 [Normal decode])

-march=i686 -O3 -pipe -mcpu=pentium4 -fforce-addr  -fPIC -fomit-frame-pointer -fstack-protector

solar@simple / $ lspci -vv> /dev/null ; echo $? ; lspci --version
0
lspci version 2.1.11

all looks good for me with these settings , so I tested with yours.

CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer -frename-registers -fstack-protector" emerge pciutils

I just cant get this to trigger. What version of pciutils is this? 
Could you also please attach the file in which the show_agp() 
function comes from.

Comment 2 Adrian Almenar 2004-02-23 14:52:40 UTC

Solar: This is on another machine, and i have the same problem !! weird !

angmar root # lspci -vv> /dev/null ; echo $? ; lspci --version
lspci: stack smashing attack in function show_agp()
Segmentation fault
139
lspci version 2.1.11

Comment 3 solar (RETIRED) gentoo-dev

2004-02-23 20:55:55 UTC

strace -i -f lspci -vv

Comment 4 Adrian Almenar 2004-02-23 21:20:43 UTC

Created attachment 26228 [details]
lspci.strace.log

Comment 5 D J Capelis 2004-03-06 16:33:09 UTC

This happens for me as well on my system.  I've tried the code from the mainline distribution of pciutils.  This does not occur on there.

The differences between that and gentoo for lspci appear to simply be:

3des pciutils-2.1.11 # diff lspci.c.orig lspci.c
193a194,197
>   if (a->domain < b->domain)
>     return -1;
>   if (a->domain > b->domain)
>     return 1;
245c249,250
<   printf("%02x:%02x.%x %s: %s",
---
>   printf("%04x:%02x:%02x.%x %s: %s",
>        p->domain,


Anyone see an overflow?

Not an isolated incident.  Fails in almost exactly the same way for me:

3des pciutils-2.1.11 # lspci -vv
0000:00:00.0 Host bridge: Intel Corp. 82845G/GL[Brookdale-G]/GE/PE DRAM Controller/Host-Hub Interface (rev 01)
        Subsystem: Micro-Star International Co., Ltd.: Unknown device 5770
        Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B-
        Status: Cap+ 66Mhz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR-
        Latency: 0
        Region 0: Memory at d8000000 (32-bit, prefetchable)
        Capabilities: [e4] #09 [0105]
        Capabilities: [a0] AGP version 2.0
                Status: RQ=32 Iso- ArqSz=0 Cal=0 SBA+ ITACoh- GART64- HTrans- 64bit- FW+ AGP3- Rate=x1,x2,x4
                Command: RQ=1 ArqSz=0 Cal=0 SBA- AGP+ GART64- 64bit- FW- Rate=x4
lspci: stack smashing attack in function show_caps()
Segmentation fault


Different function named as the culprit though... same version of lspci.

Probably similar hardware.

Comment 6 solar (RETIRED) gentoo-dev

2004-03-06 16:57:57 UTC

Re: comment #4 (the strace output did not provide any usefull info)

FEATURES="nostrip keepwork" CFLAGS="-g -ggdb" emerge pciutils
ulimit -c unlimited
lspci -vv
Do whatever you need to do to get this thing to drop a core then type.
# gdb -q `which lspci` core
# bt full
# disass $eip-0x20 $eip+0x20

Then paste in here.

Comment 7 solar (RETIRED) gentoo-dev

2004-04-25 19:22:35 UTC

Want to help me help you? I still need more debug info here...

Comment 8 Adrian Almenar 2004-06-20 07:35:13 UTC

Ok, i compiled pciutils 
with FEATURES="nostrip keepwork" CFLAGS="-g -ggdb" emerge pciutils
and it no longer get the stack smashing problem, now its working perfectly.
It very strange...

Comment 9 Adrian Almenar 2004-06-20 09:04:07 UTC

Compiled again with my default CFLAGS and it got broken again.

got a core file and running gdb on it:

angmar root # gdb -q `which lspci` core
(no debugging symbols found)...Using host libthread_db library "/lib/libthread_db.so.1".
Core was generated by `lspci -vv'.
Program terminated with signal 6, Aborted.

warning: current_sos: Can't read pathname for load map: Input/output error

Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0xffffe410 in ?? ()
(gdb)  bt full
#0  0xffffe410 in ?? ()
No symbol table info available.
#1  0xbffff5d8 in ?? ()
No symbol table info available.
#2  0x40130100 in ?? () from /lib/libc.so.6
No symbol table info available.
#3  0x00000006 in ?? ()
No symbol table info available.
#4  0x40050e06 in kill () from /lib/libc.so.6
No symbol table info available.
#5  0x4003ea21 in __stack_smash_handler () from /lib/libc.so.6
No symbol table info available.
#6  0x08049a04 in ?? ()
No symbol table info available.
#7  0x0805098f in _IO_stdin_used ()
No symbol table info available.
#8  0xae22a500 in ?? ()
No symbol table info available.
#9  0x00000000 in ?? ()
No symbol table info available.
#10 0x00000000 in ?? ()
No symbol table info available.
#11 0x0000002d in ?? ()
No symbol table info available.
#12 0x0000002d in ?? ()
No symbol table info available.
#13 0x0000002d in ?? ()
No symbol table info available.
#14 0x0000002d in ?? ()
No symbol table info available.
#15 0x0000002d in ?? ()
No symbol table info available.
#16 0xbffff628 in ?? ()
No symbol table info available.
#17 0x0000002b in ?? ()
No symbol table info available.
#18 0x0000002d in ?? ()
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#19 0xbffff628 in ?? ()
No symbol table info available.
#20 0xbffff62c in ?? ()
No symbol table info available.
#21 0x4008541d in __overflow () from /lib/libc.so.6
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)
(gdb) disass $eip-0x20 $eip+0x20
Dump of assembler code from 0xffffe3f0 to 0xffffe430:
0xffffe3f0:     add    %al,(%eax)
0xffffe3f2:     add    %al,(%eax)
0xffffe3f4:     add    %al,(%eax)
0xffffe3f6:     add    %al,(%eax)
0xffffe3f8:     add    %al,(%eax)
0xffffe3fa:     add    %al,(%eax)
0xffffe3fc:     add    %al,(%eax)
0xffffe3fe:     add    %al,(%eax)
0xffffe400:     push   %ecx
0xffffe401:     push   %edx
0xffffe402:     push   %ebp
0xffffe403:     mov    %esp,%ebp
0xffffe405:     sysenter
0xffffe407:     nop
0xffffe408:     nop
0xffffe409:     nop
0xffffe40a:     nop
0xffffe40b:     nop
0xffffe40c:     nop
0xffffe40d:     nop
0xffffe40e:     jmp    0xffffe403
0xffffe410:     pop    %ebp
0xffffe411:     pop    %edx
0xffffe412:     pop    %ecx
0xffffe413:     ret
0xffffe414:     add    %al,(%eax)
0xffffe416:     add    %al,(%eax)
0xffffe418:     add    %al,(%eax)
0xffffe41a:     add    %al,(%eax)
0xffffe41c:     add    %al,(%eax)
0xffffe41e:     add    %al,(%eax)
0xffffe420:     pop    %eax
0xffffe421:     mov    $0x77,%eax
0xffffe426:     int    $0x80
0xffffe428:     nop
0xffffe429:     nop
0xffffe42a:     nop
---Type <return> to continue, or q <return> to quit---
0xffffe42b:     nop
0xffffe42c:     nop
0xffffe42d:     nop
0xffffe42e:     nop
0xffffe42f:     nop
End of assembler dump.
(gdb)

Comment 10 solar (RETIRED) gentoo-dev

2004-07-26 07:40:13 UTC

patch will be going in portage which resolves this problem shortly.

http://marc.theaimsgroup.com/?t=109080349600004&r=1&w=2

Comment 11 solar (RETIRED) gentoo-dev

2004-07-26 07:58:43 UTC

Updated in pciutils-2.1.11-r1.ebuild

Please confirm this fixes the problem for you.

Comment 12 Kevin F. Quinn (RETIRED) gentoo-dev

2004-08-23 10:21:29 UTC

Since Adrian hasn't confirmed, I will as I saw the same error a while back, seeing this I built it with debug as commented above to work around it.  With the -r1 ebuild, the "lspci -vv" not longer smashes.

Kev.


# emerge --oneshot =sys-apps/pciutils-2.1.11
# lspci -vvv
00:00.0 Host bridge: Silicon Integrated Systems [SiS] 741/741GX/M741 Host (rev 03)
        Subsystem: Unknown device 1849:0741
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B-
        Status: Cap+ 66Mhz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort+ >SERR- <PERR-
        Latency: 0
        Region 0: Memory at d0000000 (32-bit, non-prefetchable) [size=64M]
        Capabilities: [c0] AGP version 3.5
                Status: RQ=32 Iso- ArqSz=0 Cal=0 SBA+ ITACoh- GART64- HTrans- 64bit- FW+ AGP3- Rate=x1,x2,x4
                Command: RQ=1 ArqSz=0 Cal=0 SBA- AGP+ GART64- 64bit- FW- Rate=x4
lspci: stack smashing attack in function show_agp()
Aborted

# emerge --oneshot =sys-apps/pciutils-2.1.11-r1
# lspci -vv
0000:00:00.0 Host bridge: Silicon Integrated Systems [SiS] 741/741GX/M741 Host (rev 03)
        Subsystem: Unknown device 1849:0741
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B-
        Status: Cap+ 66Mhz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort+ >SERR- <PERR-
        Latency: 0
        Region 0: Memory at d0000000 (32-bit, non-prefetchable)
        Capabilities: [c0] AGP version 3.5
                Status: RQ=32 Iso- ArqSz=0 Cal=0 SBA+ ITACoh- GART64- HTrans- 64bit- FW+ AGP3- Rate=x1,x2,x4
                Command: RQ=1 ArqSz=0 Cal=0 SBA- AGP+ GART64- 64bit- FW- Rate=x4

0000:00:01.0 PCI bridge: Silicon Integrated Systems [SiS]: Unknown device 0003 (prog-if 00 [Normal decode])
[...rest snipped - no smash!]

Comment 13 Adrian Almenar 2004-08-30 19:29:24 UTC

I cant confirm about this bug, cause im on AMD64 now i no longer have x86 hardware to test it. Sorry.

Comment 14 solar (RETIRED) gentoo-dev

2004-09-08 10:19:18 UTC

Closing bug as FIXED

Comment 15 solar (RETIRED) gentoo-dev

2004-09-08 11:30:47 UTC

closed