Cheking the logs on /var/log/user.log i found this: Oct 9 23:03:25 uxmal *** stack smashing detected ***: Fuxma9679.exe - terminated Oct 9 23:03:25 uxmal Fuxma9679.exe: stack smashing attack in function fchownat_DEFAULT - terminated Oct 9 23:03:25 uxmal Report to http://bugs.gentoo.org/ Reproducible: Couldn't Reproduce Steps to Reproduce: Happens just one time. Actual Results: My system is running ok. Expected Results: I would like to understand this log and know how to check if my system is ok. uxmal log # cat /etc/gentoo-release Gentoo Base System release 1.12.11.1 Profile: [6] hardened/linux/amd64/10.0 *
We don't distribute anything that has a Fuxma9679.exe, thus we can't do anything about it. Hints on how to check the machine's integrity can be given elsewhere.
You do actually, it's the emerge of graphviz that triggers this message. The bug reporter must be working on a system with a hostname of uxma. Please do not close reports without investigating first. Reporter, please confirm by remerging graphviz. Use timestamps to confirm the error message, I expect that you will find a corrupted message (leading capital F) in /var/log/messages, but there should be others in the pax messages.
hostname is "uxmal" I check and the message was in the same time of emerging graphviz: /var/log/messages Oct 9 23:00:53 uxmal revdep-rebuild: found /usr/bin/dot Oct 9 23:00:54 uxmal revdep-rebuild: found /usr/bin/gvpack Oct 9 23:01:10 uxmal revdep-rebuild: found /usr/lib64/libgvc.so.5.0.0 Oct 9 23:01:21 uxmal revdep-rebuild: /usr/bin/dot -> media-gfx/graphviz Oct 9 23:01:21 uxmal revdep-rebuild: /usr/bin/gvpack -> media-gfx/graphviz Oct 9 23:01:21 uxmal revdep-rebuild: /usr/lib64/libgvc.so.5.0.0 -> media-gfx/graphviz Oct 9 23:03:25 uxmal *** stack smashing detected ***: Fuxma9679.exe - terminated Oct 9 23:03:25 uxmal Fuxma9679.exe: stack smashing attack in function fchownat_DEFAULT - terminated Oct 9 23:03:25 uxmal Report to http://bugs.gentoo.org/ /var/log/emerge.log: 1255122094: Started emerge on: Oct 09, 2009 23:01:34 1255122094: *** emerge --oneshot media-gfx/graphviz:0 1255122096: >>> emerge (1 of 1) media-gfx/graphviz-2.24.0-r2 to / 1255122097: === (1 of 1) Cleaning (media-gfx/graphviz-2.24.0-r2::/usr/portage/media-gfx/graphviz/graphviz-2.24.0-r2.ebuild) 1255122097: === (1 of 1) Compiling/Merging (media-gfx/graphviz-2.24.0-r2::/usr/portage/media-gfx/graphviz/graphviz-2.24.0-r2.ebuild) 1255122291: === (1 of 1) Merging (media-gfx/graphviz-2.24.0-r2::/usr/portage/media-gfx/graphviz/graphviz-2.24.0-r2.ebuild) 1255122293: >>> AUTOCLEAN: media-gfx/graphviz:0 1255122293: === Unmerging... (media-gfx/graphviz-2.24.0-r2) 1255122295: >>> unmerge success: media-gfx/graphviz-2.24.0-r2 1255122296: === (1 of 1) Post-Build Cleaning (media-gfx/graphviz-2.24.0-r2::/usr/portage/media-gfx/graphviz/graphviz-2.24.0-r2.ebuild) 1255122296: ::: completed emerge (1 of 1) media-gfx/graphviz-2.24.0-r2 to / 1255122296: *** Finished. Cleaning up... 1255122296: *** exiting successfully. 1255122296: *** terminating. Searching on /var/log: uxmal log # pwd /var/log uxmal log # grep Fuxma * debug:Oct 9 23:03:25 uxmal *** stack smashing detected ***: Fuxma9679.exe - terminated debug:Oct 9 23:03:25 uxmal Fuxma9679.exe: stack smashing attack in function fchownat_DEFAULT - terminated messages:Oct 9 23:03:25 uxmal *** stack smashing detected ***: Fuxma9679.exe - terminated messages:Oct 9 23:03:25 uxmal Fuxma9679.exe: stack smashing attack in function fchownat_DEFAULT - terminated syslog:Oct 9 23:03:25 uxmal *** stack smashing detected ***: Fuxma9679.exe - terminated syslog:Oct 9 23:03:25 uxmal Fuxma9679.exe: stack smashing attack in function fchownat_DEFAULT - terminated user.log:Oct 9 23:03:25 uxmal *** stack smashing detected ***: Fuxma9679.exe - terminated user.log:Oct 9 23:03:25 uxmal Fuxma9679.exe: stack smashing attack in function fchownat_DEFAULT - terminated
(In reply to comment #3) > hostname is "uxmal" That makes sense, then the process name is partially the host name. The 4-digit number could be a PID. The .exe prefix is a rarity in a UNIX environment, but I have seen it before. > I check and the message was in the same time of emerging graphviz: Good, then we have found the cause. Please post emerge --info (this really, *really* should be on all bug reports) and I will then reassign your report to the maintainer of graphviz for further investigation.
Portage 2.1.6.13 (hardened/linux/amd64/10.0, gcc-3.4.6, glibc-2.9_p20081201-r2, 2.6.30-gentoo-r5 x86_64) ================================================================= System uname: Linux-2.6.30-gentoo-r5-x86_64-Intel-R-_Xeon-R-_CPU_3040_@_1.86GHz-with-gentoo-1.12.11.1 Timestamp of tree: Fri, 09 Oct 2009 15:45:01 +0000 app-shells/bash: 3.2_p39 dev-lang/python: 2.6.2-r1 dev-util/cmake: 2.6.4 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 2.1 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://gentoo.intergenia.de http://gentoo.mneisen.org/ " LANG="en_US.utf8" LDFLAGS="-Wl,-O1" LINGUAS="en es pl" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acl amd64 apache2 bash-completion berkdb bzip2 cairo cli courier cracklib crypt cups djvu doc dri fontconfig fpx gdbm gif gpm graphviz gs hardened hdri html iconv imap isdnlog jadetex jbig jpeg jpeg2k justify lcms libwww maildir mmx modules mpm-worker mudflap multilib ncurses nls nonfsv4 nptl nptlonly openexr pam pango pcre perl pg-intdatetime pic png postgres pppd python q32 q8 readline reflection sasl session spamassassin spl sqlite sqlite3 sse sse2 ssl svg sysfs tcpd threads threadsafe tiff truetype urandom vda vim-syntax wmf xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en es pl" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Thank you Pawel, let's see what the maintainers say of this problem. To confirm, I have at least one other system that exhibits this (which is AMD64 instead of X86, I will see to it that the relevant --info gets posted here).
> You do actually, it's the emerge of graphviz that triggers this message. The > bug reporter must be working on a system with a hostname of uxma. > Please do not close reports without investigating first. Security tried to investigate and me and some other people on IRC would have done the same, because: - unreproduceable - no package name given - didn't see the partial hostname (uxmal/Fuxma9679.exe) - missing emerge --info and hints on why/how this happened Cool that you found out it's graphviz, but how did you do that?
> Security tried to investigate and me and some other people on IRC would have > done the same, because: > - unreproduceable It is reproducable once you track it down. I basically ignored this statement. > - no package name given > - didn't see the partial hostname (uxmal/Fuxma9679.exe) > - missing emerge --info and hints on why/how this happened You will not always get your bug report served by an attractive young lady on a silver platter. Please try to work with what you have. > Cool that you found out it's graphviz, but how did you do that? By keeping the dialog open enough so that I could match details with a problem I saw in the field a few weeks back.
Can you try 2.26.3? And what USE flags on that package?
Is this stack smashing thing fixed in newer graphviz?
I change the system on this computer, so I can not reproduce/check the error any more. Sorry.
