Trickle failes compiled with propolice (-fstack-protector) with the following error-message: stack smashing attack in function read() Compiled without propolice it works quite fine
Whats going on there? Isn't there any dev which is intersted in fixing this issue? I've added hardened because I think its there metier.
Lars your bug here lacks alot of the standard needed info. Bugs that lack the basic info tend to be ignored. Post the output of 'emerge info' please. (do that for every bug you ever open) Then we need to know what version of Trickle fails to compile. ssp triggering an a read() is pretty bad. How can we reproduce this error?
Thats true, I'm really sorry. I'd been a little bit angry whithout having a reason , sorry. Here is the tastcase: $ rsync -vPe "trickle -d 8 -s ssh" remotehost:test* . ssh: stack smashing attack in function read() rsync: connection unexpectedly closed (0 bytes read so far) rsync error: error in rsync protocol data stream (code 12) at io.c(189) $ rsync -vPe "strace trickle -d 8 -s ssh" keks:test* . execve("/usr/bin/trickle", ["trickle", "-d", "8", "-s", "ssh", "keks", "rsync", "--server", "--sender", "-v", "--partial", ".", "test*"], [/* 49 vars */]) = 0 uname({sys="Linux", node="mabuse", ...}) = 0 brk(0) = 0x804b000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=61112, ...}) = 0 mmap2(NULL, 61112, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fdb000 close(3) = 0 open("/lib/libnsl.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`;\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=80320, ...}) = 0 mmap2(NULL, 88320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fc5000 mmap2(0xb7fd7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11) = 0xb7fd7000 mmap2(0xb7fd9000, 6400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fd9000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=10712, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc4000 mmap2(NULL, 12392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fc0000 mmap2(0xb7fc2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7fc2000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360P\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1231792, ...}) = 0 mmap2(NULL, 1158412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ea5000 mprotect(0xb7fb9000, 27916, PROT_NONE) = 0 mmap2(0xb7fba000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x114) = 0xb7fba000 mmap2(0xb7fbe000, 7436, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fbe000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ea4000 mprotect(0xb7fba000, 4096, PROT_READ) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ea46c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0xb7fdb000, 61112) = 0 open("/dev/urandom", O_RDONLY) = 3 read(3, "t\253b\233", 4) = 4 close(3) = 0 brk(0) = 0x804b000 brk(0x806c000) = 0x806c000 execve("/usr/local/bin/ssh", ["ssh", "keks", "rsync", "--server", "--sender", "-v", "--partial", ".", "test*"], [/* 58 vars */]) = -1 ENOENT (No such file or directory) execve("/usr/bin/ssh", ["ssh", "keks", "rsync", "--server", "--sender", "-v", "--partial", ".", "test*"], [/* 58 vars */]) = 0 uname({sys="Linux", node="mabuse", ...}) = 0 brk(0) = 0x8089000 open("/usr/lib/trickle/trickle-overload.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \22\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=25184, ...}) = 0 mmap2(NULL, 27472, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fe3000 mmap2(0xb7fe9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5) = 0xb7fe9000 close(3) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=61112, ...}) = 0 mmap2(NULL, 61112, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd4000 close(3) = 0 open("/lib/libresolv.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0%\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=69060, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd3000 mmap2(NULL, 80116, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fbf000 mmap2(0xb7fcf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf) = 0xb7fcf000 mmap2(0xb7fd1000, 6388, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fd1000 close(3) = 0 open("/usr/lib/libcrypto.so.0.9.7", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\317"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0555, st_size=1285492, ...}) = 0 mmap2(0x49841000, 1264184, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x49841000 mmap2(0x49961000, 69632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x120) = 0x49961000 mmap2(0x49972000, 14904, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x49972000 mprotect(0xbffff000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0 close(3) = 0 open("/lib/libutil.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\r\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=10488, ...}) = 0 mmap2(NULL, 12444, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fbb000 mmap2(0xb7fbd000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7fbd000 close(3) = 0 open("/lib/libz.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\24\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=73840, ...}) = 0 mmap2(NULL, 75652, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7fa8000 mmap2(0xb7fba000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11) = 0xb7fba000 close(3) = 0 open("/lib/libnsl.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`;\0\000"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=80320, ...}) = 0 mmap2(NULL, 88320, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f92000 mmap2(0xb7fa4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11) = 0xb7fa4000 mmap2(0xb7fa6000, 6400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fa6000 close(3) = 0 open("/lib/libcrypt.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\t\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=22608, ...}) = 0 mmap2(NULL, 184636, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f64000 mmap2(0xb7f69000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4) = 0xb7f69000 mmap2(0xb7f6b000, 155964, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f6b000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360P\1"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1231792, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f63000 mmap2(NULL, 1158412, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e48000 mprotect(0xb7f5c000, 27916, PROT_NONE) = 0 mmap2(0xb7f5d000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x114) = 0xb7f5d000 mmap2(0xb7f61000, 7436, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f61000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\v\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=10712, ...}) = 0 mmap2(NULL, 12392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e44000 mmap2(0xb7e46000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7e46000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e43000 mprotect(0xb7f5d000, 4096, PROT_READ) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e436c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0xb7fd4000, 61112) = 0 open("/dev/urandom", O_RDONLY) = 3 getpid() = 23606 geteuid32() = 1000 getegid32() = 100 socket(PF_FILE, SOCK_STREAM, 0) = 4 connect(4, {sa_family=AF_FILE, path=@}, 110) = -1 ECONNREFUSED (Connection refused) close(4) = 0 brk(0) = 0x8089000 brk(0x80aa000) = 0x80aa000 read(3, "\325\235\266h", 4) = 4 rt_sigprocmask(SIG_BLOCK, ~[ABRT RTMIN RT_1], NULL, 8) = 0 write(2, "ssh: stack smashing attack in fu"..., 43ssh: stack smashing attack in function read) = 43 write(2, "()\n", 3() ) = 3 socket(PF_FILE, SOCK_DGRAM, 0) = 4 sendto(4, "<2>ssh: stack smashing attack in"..., 46, 0, {sa_family=AF_FILE, path="/dev/log"}, 110) = 46 rt_sigaction(SIGABRT, {SIG_DFL}, NULL, 8) = 0 kill(23606, SIGABRT) = 0 --- SIGABRT (Aborted) @ 0 (0) --- +++ killed by SIGABRT +++ rsync: connection unexpectedly closed (0 bytes read so far) rsync error: error in rsync protocol data stream (code 12) at io.c(189) $ emerge info Portage 2.0.51-r2 (default-x86-2004.0, gcc-3.4.2, glibc-2.3.4.20041021-r0, 2.6.9-mabuse i686) ================================================================= System uname: 2.6.9-mabuse i686 AMD Athlon(TM) XP 2200+ Gentoo Base System version 1.6.4 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.92.0.2-r1 Headers: sys-kernel/linux26-headers-2.6.8.1-r1 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -fstack-protector -mmmx -msse -m3dnow" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer -fstack-protector -mmmx -msse -m3dnow" DISTDIR="/mnt/portage/distfiles" FEATURES="autoaddcvs ccache digest distlocks keeptemp keepwork sandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/" MAKEOPTS="-s" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/mnt/portage/overlay-portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dnow X aalib acl acpi alsa avi bitmap-fonts bonobo caca cdr crypt dri dvd encode esd ethereal evo flac font-server glx gnome gphoto2 gpm gstreamer gtk2 gtkhtml imagemagick imlib2 ipv6 javascript jpeg ldap mad maildir mikmod mmap mmx mng mozilla moznocompose moznoirc moznomail mozsvg mpeg mpeg4 ncurses nls no_wxgtk1 nogcj nptl oggvorbis opengl openssh pam pic png python samba spell sse ssl svg threads tiff transcode truetype truetype-fonts type1-fonts unicode usb videos wxwindows xface xfs xml xml2 xprint xrandr xv" $ emerge -pv trickle [...] [ebuild R ] net-misc/trickle-1.06 0 kB
Got a gdb backtrace? Can you get it to drop a core?
If you can tell me how to do this? ;-) Using gdb is a big black hole in my list of skills.
I've learned a little bit how to work with gdb. Here is the result. I hope it helps: Starting program: /usr/bin/trickle -d 2 -s /usr/bin/ssh (no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1". (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... Program received signal SIGTRAP, Trace/breakpoint trap. 0x46996800 in ?? () from /lib/ld-linux.so.2
Does this helps something or is there any need for more information? Tell me what I could do...
Hm, am I the only one who is interested in fixing this bug? Then maybe it would be good to delete trickle from portage.
This bug sounds like a problem that I saw with a kde module not so long ago that would preload it's own module that contained a function for read() overwriting the read() that's called from __libc_start_main() in glibc. So my guess is that this /usr/bin/trickle contains a read() function and can't be used with ssp till we rename the symbols in glibc ssp.c from read to __read
What's the status of this issue? Is it possible/usable to commit a patch?
See bug #65892 and dependents; I think this is the same issue. I've marked this bug as dependent on it, and re-assigned to the hardened team so we shouldn't lose sight of it. glibc-2.3.4.20050125-r1 contains a fix; try that - it's ~x86 so if you're otherwise stable create /etc/portage/package.keywords if it doesn't exist and add the following line to it: =sys-libs/glibc-2.3.4.20050125-r1 ~x86
It's more than just read/write/close that we will probably want to address in the long term. I'm thinking something like this. http://dev.gentoo.org/~solar/ssp/ssp.new.c http://dev.gentoo.org/~solar/ssp/ssp.h
Removing audit from CC:
Lars, have you tried a more recent glibc version? Latest stable x86 version includes modifications that I think will solve the problem.
old 2005 bug that should be solved. reopen if needed