357083 – [4.5/4.6] sys-libs/glibc declares tftphdr.tu_stuff[1] rather than tu_stuff[] (fortify breaks net-ftp/tftp-hpa)

Bug 357083 - [4.5/4.6] sys-libs/glibc declares tftphdr.tu_stuff[1] rather than tu_stuff[] (fortify breaks net-ftp/tftp-hpa)

Summary: [4.5/4.6] sys-libs/glibc declares tftphdr.tu_stuff[1] rather than tu_stuff[] ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	High normal (vote)
Assignee:	Gentoo Toolchain Maintainers

URL:	http://sourceware.org/ml/libc-alpha/2...
Whiteboard:
Keywords:

Duplicates (3):	375157 394803 406347 (view as bug list)
Depends on:
Blocks:	425184
	Show dependency tree

Reported:	2011-03-02 13:10 UTC by Julian Stecklina
Modified:	2012-07-09 12:51 UTC (History)
CC List:	8 users (show)

See Also:	https://launchpad.net/bugs/691345 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=52944
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julian Stecklina 2011-03-02 13:10:47 UTC

Reading a file via tftp client causes a buffer overflow (see below, for a backtrace scroll a bit further down). Building tftp-hpa with -O0 (instead of -O1 or -O2) seems to workaround this bug.


% tftp localhost        
tftp> get pulsar
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7ff15a1bb857]
/lib/libc.so.6(+0xe4670)[0x7ff15a1b9670]
tftp[0x4019cf]
tftp[0x4021a8]
tftp[0x402fad]
tftp[0x403b66]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7ff15a0f3b6d]
tftp[0x4018a9]
======= Memory map: ========
00400000-00406000 r-xp 00000000 08:03 1597392                            /usr/bin/tftp
00605000-00606000 r--p 00005000 08:03 1597392                            /usr/bin/tftp
00606000-00607000 rw-p 00006000 08:03 1597392                            /usr/bin/tftp
00607000-00669000 rw-p 00000000 00:00 0                                  [heap]
7ff15985c000-7ff159871000 r-xp 00000000 08:03 4860780                    /lib64/libgcc_s.so.1
7ff159871000-7ff159a70000 ---p 00015000 08:03 4860780                    /lib64/libgcc_s.so.1
7ff159a70000-7ff159a71000 r--p 00014000 08:03 4860780                    /lib64/libgcc_s.so.1
7ff159a71000-7ff159a72000 rw-p 00015000 08:03 4860780                    /lib64/libgcc_s.so.1
7ff159a72000-7ff159a7e000 r-xp 00000000 08:03 4849666                    /lib64/libnss_files-2.11.2.so
7ff159a7e000-7ff159c7d000 ---p 0000c000 08:03 4849666                    /lib64/libnss_files-2.11.2.so
7ff159c7d000-7ff159c7e000 r--p 0000b000 08:03 4849666                    /lib64/libnss_files-2.11.2.so
7ff159c7e000-7ff159c7f000 rw-p 0000c000 08:03 4849666                    /lib64/libnss_files-2.11.2.so
7ff159c7f000-7ff159c81000 r-xp 00000000 08:03 4850678                    /lib64/libdl-2.11.2.so
7ff159c81000-7ff159e81000 ---p 00002000 08:03 4850678                    /lib64/libdl-2.11.2.so
7ff159e81000-7ff159e82000 r--p 00002000 08:03 4850678                    /lib64/libdl-2.11.2.so
7ff159e82000-7ff159e83000 rw-p 00003000 08:03 4850678                    /lib64/libdl-2.11.2.so
7ff159e83000-7ff159ecf000 r-xp 00000000 08:03 4849888                    /lib64/libncurses.so.5.7
7ff159ecf000-7ff15a0cf000 ---p 0004c000 08:03 4849888                    /lib64/libncurses.so.5.7
7ff15a0cf000-7ff15a0d3000 r--p 0004c000 08:03 4849888                    /lib64/libncurses.so.5.7
7ff15a0d3000-7ff15a0d4000 rw-p 00050000 08:03 4849888                    /lib64/libncurses.so.5.7
7ff15a0d4000-7ff15a0d5000 rw-p 00000000 00:00 0 
7ff15a0d5000-7ff15a22a000 r-xp 00000000 08:03 4850578                    /lib64/libc-2.11.2.so
7ff15a22a000-7ff15a42a000 ---p 00155000 08:03 4850578                    /lib64/libc-2.11.2.so
7ff15a42a000-7ff15a42e000 r--p 00155000 08:03 4850578                    /lib64/libc-2.11.2.so
7ff15a42e000-7ff15a42f000 rw-p 00159000 08:03 4850578                    /lib64/libc-2.11.2.so
7ff15a42f000-7ff15a434000 rw-p 00000000 00:00 0 
7ff15a434000-7ff15a471000 r-xp 00000000 08:03 4849672                    /lib64/libreadline.so.6.1
7ff15a471000-7ff15a670000 ---p 0003d000 08:03 4849672                    /lib64/libreadline.so.6.1
7ff15a670000-7ff15a672000 r--p 0003c000 08:03 4849672                    /lib64/libreadline.so.6.1
7ff15a672000-7ff15a678000 rw-p 0003e000 08:03 4849672                    /lib64/libreadline.so.6.1
7ff15a678000-7ff15a67a000 rw-p 00000000 00:00 0 
7ff15a67a000-7ff15a698000 r-xp 00000000 08:03 4849894                    /lib64/ld-2.11.2.so
7ff15a6c0000-7ff15a871000 r--p 00000000 08:03 6696063                    /usr/lib64/locale/locale-archive
7ff15a871000-7ff15a875000 rw-p 00000000 00:00 0 
7ff15a88d000-7ff15a88f000 rw-p 00000000 00:00 0 
7ff15a88f000-7ff15a896000 r--s 00000000 08:03 6049476                    /usr/lib64/gconv/gconv-modules.cache
7ff15a896000-7ff15a897000 rw-p 00000000 00:00 0 
7ff15a897000-7ff15a898000 r--p 0001d000 08:03 4849894                    /lib64/ld-2.11.2.so
7ff15a898000-7ff15a899000 rw-p 0001e000 08:03 4849894                    /lib64/ld-2.11.2.so
7ff15a899000-7ff15a89a000 rw-p 00000000 00:00 0 
7fff9b2d6000-7fff9b2f7000 rw-p 00000000 00:00 0                          [stack]
7fff9b315000-7fff9b316000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
zsh: abort (core dumped)  tftp localhost

Backtrace:

(gdb) bt full
#0  0x00007ff15a107455 in raise () from /lib/libc.so.6
No symbol table info available.
#1  0x00007ff15a1088d6 in abort () from /lib/libc.so.6
No symbol table info available.
#2  0x00007ff15a141ea3 in ?? () from /lib/libc.so.6
No symbol table info available.
#3  0x00007ff15a1bb857 in __fortify_fail () from /lib/libc.so.6
No symbol table info available.
#4  0x00007ff15a1b9670 in __chk_fail () from /lib/libc.so.6
No symbol table info available.
#5  0x00000000004019cf in strcpy (request=<value optimized out>, name=0x63bdc4 "pulsar", tp=<value optimized out>, mode=0x404a45 "netascii") at /usr/include/bits/string3.h:107
No locals.
#6  makerequest (request=<value optimized out>, name=0x63bdc4 "pulsar", tp=<value optimized out>, mode=0x404a45 "netascii") at tftp.c:285
        cp = 0x606402 "p"
#7  0x00000000004021a8 in tftp_recvfile (fd=<value optimized out>, name=0x63bdc4 "pulsar", mode=0x404a45 "netascii") at tftp.c:197
        ap = 0x606400
        dp = 0x606924
        n = <value optimized out>
        block = 1
        size = 6536644
        firsttrip = 1
        amount = 0
        from = {sa = {sa_family = 0, sa_data = "\000\000\000\000\000\000\225\317hZ\361\177\000"}, si = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, 
            sin_zero = "\225\317hZ\361\177\000"}, s6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {
                __u6_addr8 = "\225\317hZ\361\177\000\000\000\000\000\000\000\000\000", __u6_addr16 = {53141, 23144, 32753, 0, 0, 0, 0, 0}, __u6_addr32 = {1516818325, 32753, 0, 
                  0}}}, sin6_scope_id = 21}}
        fromlen = 0
        file = 0x64a740
        convert = 1
        dp_opcode = <value optimized out>
        dp_block = <value optimized out>
#8  0x0000000000402fad in get (argc=<value optimized out>, argv=<value optimized out>) at main.c:673
        n = <value optimized out>
        cp = 0x63bdc4 "pulsar"
        src = 0x63bdc4 "pulsar"
#9  0x0000000000403b66 in command (argc=<value optimized out>, argv=0x7fff9b2f5d88) at main.c:837
        c = <value optimized out>
#10 main (argc=<value optimized out>, argv=0x7fff9b2f5d88) at main.c:356
        sa = {sa = {sa_family = 2, sa_data = '\000' <repeats 13 times>}, si = {sin_family = 2, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, 
          s6 = {sin6_family = 2, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
                __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}}
        arg = <value optimized out>
        pargc = 0
        peerargc = 2
        iscmd = 0
        pargv = 0x2
        optx = <value optimized out>
        peerargv = {0x7fff9b2f6916 "tftp", 0x7fff9b2f691b "localhost", 0x0}


Reproducible: Always

Steps to Reproduce:
Open tftp connection, GET a file.

Actual Results:  
Detected buffer overflow -> core dump.

Expected Results:  
The file is downloaded without error.

Portage 2.1.9.25 (default/linux/amd64/10.0, gcc-4.5.2, glibc-2.11.2-r3, 2.6.37.1 x86_64)
=================================================================
System uname: Linux-2.6.37.1-x86_64-Intel-R-_Core-TM-_i7_CPU_L_640_@_2.13GHz-with-gentoo-1.12.14
Timestamp of tree: Wed, 02 Mar 2011 00:30:01 +0000
app-shells/bash:     4.1_p9
dev-lang/python:     2.6.6-r2, 3.1.3-r1
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.14-r1
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.5, 4.5.2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.36.1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O1 -g -march=native -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O1 -g -march=native -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs candy distlocks fail-clean fixlafiles fixpackages news nostrip parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="de en"
MAKEOPTS="-s -j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/luke-jr /var/lib/layman/lisp /var/lib/layman/lordvan"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 berkdb bzip2 cairo cli cracklib crypt cups cxx dri dts dvb dvd emacs flac fontconfig fortran gdbm gpm iconv ipv6 jpeg matroska mmx modules mp3 mpeg mudflap multilib musepack ncurses nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline session sse sse2 sse3 ssl ssse3 sysfs tcpd theora threads truetype unicode v4l vaapi vorbis x264 xcb xinerama xorg xv xvmc zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DVB_CARDS="usb-dib0700" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 SpanKY gentoo-dev

2011-03-03 04:06:34 UTC

fortify code is only enabled when optimization is enabled (not -O0).  the code in question though explains why fortify throws up on it.

/usr/include/arpa/tftp.h:
struct  tftphdr {
    short   th_opcode;          /* packet type */
    union {
        unsigned short  tu_block;   /* block # */
        short   tu_code;        /* error code */
        char    tu_stuff[1];        /* request packet stuff */
    } __attribute__ ((__packed__)) th_u;
    char    th_data[1];         /* data or error string */
} __attribute__ ((__packed__));
#define th_stuff    th_u.tu_stuff

tftp.c:
static int
makerequest(int request, const char *name,
            struct tftphdr *tp, const char *mode)
{   
    char *cp;

    tp->th_opcode = htons((u_short) request);
    cp = (char *)&(tp->th_stuff);
    strcpy(cp, name);

that isnt going to work ... the code declares th_stuff as only being 1 byte long.  i guess the structure would need to be defined as tu_stuff[] rather than tu_stuff[1] to make it work.

Comment 2 Vasiliy Kotikov 2011-03-11 20:27:02 UTC

Hello!

I have switched gcc to 4.4.5 from 4.5.2; emerging netkit-tftp solved this issue...

Comment 3 Arun Raghavan (RETIRED) gentoo-dev

2011-10-11 09:06:33 UTC

This happens on netkit-tftp as well, with gcc 4.5.3

Comment 4 SpanKY gentoo-dev

2011-10-13 16:22:22 UTC

*** Bug 375157 has been marked as a duplicate of this bug. ***

Comment 5 Arun Raghavan (RETIRED) gentoo-dev

2011-10-13 16:43:19 UTC

Is this waiting for patches changing the [1] to a []?

Comment 6 swanpoint 2011-10-18 13:26:35 UTC

going:

gcc-config x86_64-pc-linux-gnu-4.4.5

from:

 [1] x86_64-pc-linux-gnu-4.4.5
 [2] x86_64-pc-linux-gnu-4.5.3 *

fixed this for me.

Comment 7 Optimus 2011-10-21 14:28:53 UTC

tftp -m binary 192.168.1.1 -c put RT-N16-1.9.2.7-rtn-r3300.trx
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f986c722fd7]
/lib64/libc.so.6(+0xfbe60)[0x7f986c720e60]
tftp[0x401ba1]
tftp[0x402067]
tftp[0x403eb1]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f986c643ebd]
tftp[0x401a89]
======= Memory map: ========
00400000-00407000 r-xp 00000000 fe:04 2366                               /usr/bin/tftp
00606000-00607000 r--p 00006000 fe:04 2366                               /usr/bin/tftp
00607000-00608000 rw-p 00007000 fe:04 2366                               /usr/bin/tftp
00608000-00628000 rw-p 00000000 00:00 0
00bda000-00bfb000 rw-p 00000000 00:00 0                                  [heap]
7f986bdaa000-7f986bdbf000 r-xp 00000000 08:02 9804                       /lib64/libgcc_s.so.1
7f986bdbf000-7f986bfbe000 ---p 00015000 08:02 9804                       /lib64/libgcc_s.so.1
7f986bfbe000-7f986bfbf000 r--p 00014000 08:02 9804                       /lib64/libgcc_s.so.1
7f986bfbf000-7f986bfc0000 rw-p 00015000 08:02 9804                       /lib64/libgcc_s.so.1
7f986bfc0000-7f986bfcc000 r-xp 00000000 08:02 9754                       /lib64/libnss_files-2.13.so
7f986bfcc000-7f986c1cb000 ---p 0000c000 08:02 9754                       /lib64/libnss_files-2.13.so
7f986c1cb000-7f986c1cc000 r--p 0000b000 08:02 9754                       /lib64/libnss_files-2.13.so
7f986c1cc000-7f986c1cd000 rw-p 0000c000 08:02 9754                       /lib64/libnss_files-2.13.so
7f986c1cd000-7f986c1cf000 r-xp 00000000 08:02 9143                       /lib64/libdl-2.13.so
7f986c1cf000-7f986c3cf000 ---p 00002000 08:02 9143                       /lib64/libdl-2.13.so
7f986c3cf000-7f986c3d0000 r--p 00002000 08:02 9143                       /lib64/libdl-2.13.so
7f986c3d0000-7f986c3d1000 rw-p 00003000 08:02 9143                       /lib64/libdl-2.13.so
7f986c3d1000-7f986c420000 r-xp 00000000 08:02 9771                       /lib64/libncurses.so.5.9
7f986c420000-7f986c61f000 ---p 0004f000 08:02 9771                       /lib64/libncurses.so.5.9
7f986c61f000-7f986c623000 r--p 0004e000 08:02 9771                       /lib64/libncurses.so.5.9
7f986c623000-7f986c624000 rw-p 00052000 08:02 9771                       /lib64/libncurses.so.5.9
7f986c624000-7f986c625000 rw-p 00000000 00:00 0
7f986c625000-7f986c7bf000 r-xp 00000000 08:02 9750                       /lib64/libc-2.13.so
7f986c7bf000-7f986c9be000 ---p 0019a000 08:02 9750                       /lib64/libc-2.13.so
7f986c9be000-7f986c9c2000 r--p 00199000 08:02 9750                       /lib64/libc-2.13.so
7f986c9c2000-7f986c9c3000 rw-p 0019d000 08:02 9750                       /lib64/libc-2.13.so
7f986c9c3000-7f986c9c9000 rw-p 00000000 00:00 0
7f986c9c9000-7f986ca06000 r-xp 00000000 08:02 2095                       /lib64/libreadline.so.6.2
7f986ca06000-7f986cc06000 ---p 0003d000 08:02 2095                       /lib64/libreadline.so.6.2
7f986cc06000-7f986cc08000 r--p 0003d000 08:02 2095                       /lib64/libreadline.so.6.2
7f986cc08000-7f986cc0e000 rw-p 0003f000 08:02 2095                       /lib64/libreadline.so.6.2
7f986cc0e000-7f986cc10000 rw-p 00000000 00:00 0
7f986cc10000-7f986cc31000 r-xp 00000000 08:02 9747                       /lib64/ld-2.13.so
7f986cdf5000-7f986cdf9000 rw-p 00000000 00:00 0
7f986ce2e000-7f986ce30000 rw-p 00000000 00:00 0
7f986ce30000-7f986ce31000 r--p 00020000 08:02 9747                       /lib64/ld-2.13.so
7f986ce31000-7f986ce32000 rw-p 00021000 08:02 9747                       /lib64/ld-2.13.so
7f986ce32000-7f986ce33000 rw-p 00000000 00:00 0
7fff28ee6000-7fff28f08000 rw-p 00000000 00:00 0                          [stack]
7fff28f6f000-7fff28f70000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

gcc-config -l
 [1] x86_64-pc-linux-gnu-4.5.3 *

CFLAGS="-O0" fix it

Comment 8 SpanKY gentoo-dev

2012-03-01 04:11:49 UTC

*** Bug 406347 has been marked as a duplicate of this bug. ***

Comment 9 Vasiliy Kotikov 2012-03-05 17:47:04 UTC

Sadly, but does not solve with CFLAGS="-O0"

net-ftp/netkit-tftp-0.17-r7 was built with the following:
USE="(multilib)"
CFLAGS="-O0"

gNutCore tmp # tftp localhost 
tftp> get test
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fd273b3b0a7]
/lib64/libc.so.6(+0xedf00)[0x7fd273b38f00]
tftp[0x4015b1]
tftp[0x40204d]
tftp[0x4027ea]
tftp[0x4035c7]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7fd273a6d09d]
tftp[0x401499]
======= Memory map: ========
00400000-00405000 r-xp 00000000 08:03 193524                             /usr/bin/tftp
00604000-00605000 r--p 00004000 08:03 193524                             /usr/bin/tftp
00605000-00606000 rw-p 00005000 08:03 193524                             /usr/bin/tftp
00606000-00607000 rw-p 00000000 00:00 0 
015f7000-01618000 rw-p 00000000 00:00 0                                  [heap]
7fd273628000-7fd27363d000 r-xp 00000000 08:03 1077                       /lib64/libgcc_s.so.1
7fd27363d000-7fd27383c000 ---p 00015000 08:03 1077                       /lib64/libgcc_s.so.1
7fd27383c000-7fd27383d000 r--p 00014000 08:03 1077                       /lib64/libgcc_s.so.1
7fd27383d000-7fd27383e000 rw-p 00015000 08:03 1077                       /lib64/libgcc_s.so.1
7fd27383e000-7fd27384a000 r-xp 00000000 08:03 1010                       /lib64/libnss_files-2.13.so
7fd27384a000-7fd273a49000 ---p 0000c000 08:03 1010                       /lib64/libnss_files-2.13.so
7fd273a49000-7fd273a4a000 r--p 0000b000 08:03 1010                       /lib64/libnss_files-2.13.so
7fd273a4a000-7fd273a4b000 rw-p 0000c000 08:03 1010                       /lib64/libnss_files-2.13.so
7fd273a4b000-7fd273bcc000 r-xp 00000000 08:03 1045                       /lib64/libc-2.13.so
7fd273bcc000-7fd273dcc000 ---p 00181000 08:03 1045                       /lib64/libc-2.13.so
7fd273dcc000-7fd273dd0000 r--p 00181000 08:03 1045                       /lib64/libc-2.13.so
7fd273dd0000-7fd273dd1000 rw-p 00185000 08:03 1045                       /lib64/libc-2.13.so
7fd273dd1000-7fd273dd6000 rw-p 00000000 00:00 0 
7fd273dd6000-7fd273df5000 r-xp 00000000 08:03 1013                       /lib64/ld-2.13.so
7fd273fc2000-7fd273fc5000 rw-p 00000000 00:00 0 
7fd273ff1000-7fd273ff5000 rw-p 00000000 00:00 0 
7fd273ff5000-7fd273ff6000 r--p 0001f000 08:03 1013                       /lib64/ld-2.13.so
7fd273ff6000-7fd273ff7000 rw-p 00020000 08:03 1013                       /lib64/ld-2.13.so
7fd273ff7000-7fd273ff8000 rw-p 00000000 00:00 0 
7fff20062000-7fff20083000 rw-p 00000000 00:00 0                          [stack]
7fff200ff000-7fff20100000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Comment 10 Jim Faulkner 2012-03-24 19:26:43 UTC

According to this bug report:

https://bugs.archlinux.org/task/28103

this patch fixes this issue:

http://pkgs.fedoraproject.org/gitweb/?p=tftp.git;a=blob_plain;f=tftp-hpa-0.49-fortify-strcpy-crash.patch;hb=HEAD

Comment 11 SpanKY gentoo-dev

2012-04-12 03:52:55 UTC

as noted in Bug 375157, that patch works by accident imo

i've filed PR52944 with upstream gcc ... let's see where it goes

otherwise, it should be easy to make all the tftp packages by using _FORTIFY_SOURCE=1 when building the tftp packages.  that setting will disable crossing of variable boundaries.

Comment 12 SpanKY gentoo-dev

2012-04-12 15:36:35 UTC

upstream gcc indicates that 4.7 should be fixed, but i don't have a local install of that to double check.  with a little more anonymous structure/union abuse though, we can make the tftp.h header play ball.  patch posted to upstream glibc to do just that.

Comment 13 SpanKY gentoo-dev

2012-04-21 16:25:22 UTC

*** Bug 394803 has been marked as a duplicate of this bug. ***

Comment 14 SpanKY gentoo-dev

2012-04-21 16:27:08 UTC

i've included the fix in glibc-2.15