Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358435 - x11-libs/libfm: stack-smashing on hardened-amd64
Summary: x11-libs/libfm: stack-smashing on hardened-amd64
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Markos Chandras (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-11 18:36 UTC by Christian Apeltauer
Modified: 2012-11-12 07:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
output of cave info libfm (libfm.info,16.04 KB, text/plain)
2011-03-11 18:37 UTC, Christian Apeltauer 		Details
bugfix to type inconsistency in _fm_archiver_init (libfm-0.1.15_pre20110422_fm_archiver_init.patch,435 bytes, patch)
2011-06-23 14:50 UTC, vina 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Apeltauer 2011-03-11 18:36:26 UTC 
When calling pcmanfm is called, the application stops with a stack-smashing on startup; said stack-smashing happens when returning from the function 

_fm_archiver_init

in base/fm-archiver.c belonging to x11-libs/libfm. The stack frame before the crash:
#0  _fm_archiver_init () at base/fm-archiver.c:225
#1  0x0000037f200bbd9d in fm_init (config=0x3d6b829030) at fm.c:59
#2  0x0000037f2099d479 in fm_gtk_init (config=<value optimized out>)
    at fm-gtk.c:26
#3  0x0000003d6b5d29e4 in main (argc=1, argv=0x382dbed9798) at pcmanfm.c:194

As a workaround the file 
/usr/share/libfm/archivers.list
can be deleted and pcmanfm starts up without stack-smashing.
I tried to delete those entries which belong to non-installed archivers, but the stack-smashing still happens.

Reproducible: Always
Comment 1 Christian Apeltauer 2011-03-11 18:37:10 UTC 
Created attachment 265581 [details]
output of cave info libfm
Comment 2 vina 2011-06-23 14:50:47 UTC 
Created attachment 277879 [details, diff]
bugfix to type inconsistency in _fm_archiver_init

The initialization of library libfm contains a type inconsistency on 64bit 
systems, which probably leads to stack corruption (on non-hardened systems)
and shows a stack-smashing attack on hardened systems.

This is due to the following:

  The test program fm-path (test-fm-path.c) initializes libfm
  int main(int argc, char *argv[])                                        // libfm/src/tests/test-fm-path.c
  calls: gboolean fm_init(FmConfig* config)                               // libfm/src/fm.c
  calls: void _fm_archiver_init()                                         // libfm/src/base/fm-archiver.c
         {
           ...
           int n_archivers;
           char** programs = g_key_file_get_groups(kf, &n_archivers);
           ...
         }
  calls: gchar** g_key_file_get_groups(GKeyFile *key_file, gsize *length) // glib/gkeyfile.c

The 32-bit variable 'n_archivers' on the stack of _fm_archiver_init is provided 
to g_key_file_get_groups by reference and assumed to be a 64-bit variable
'length'. g_key_file_get_groups modifies 'length' and thus corrupts the
stack of _fm_archiver_init.

/**********************************************************************/
/* on 64-bit systems in:                                              */
/* /usr/lib64/glib-2.0/include/glibconfig.h                           */
/**********************************************************************/
  typedef unsigned long gsize;
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2011-06-24 08:09:41 UTC 
The patch looks good to me. Is someone willing to notify upstream about that?
Comment 4 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2012-10-10 21:56:41 UTC 
Seems upstream fixed this alreadyi 1.0.1:
http://pcmanfm.git.sourceforge.net/git/gitweb.cgi?p=pcmanfm/libfm;a=commit;h=8972eaaef0bb43491b7578dd3e8c9f14455d1d6a

Hwoarang is the package bumpable? An off by 4 stack overflow may be enough to be exploitable if properly done.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2012-11-06 10:21:12 UTC 
The ebuild is already in the tree. 1.0.2 and 1.1.0. Can you test them?
Comment 6 Christian Apeltauer 2012-11-12 07:11:58 UTC 
Installed now libfm-1.1.0 and it worked oput of the box