If compiled with ssp/hardened gcc, then it gets killed in some cases. Can the ebuild be changed for now to use -fno-stack-protection? Reproducible: Always Steps to Reproduce: with an e-gate token and a cryptoflex 32k card: 1.openssl 2.engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_opensc.so -pre ID:opensc -pre LIST_ADD:1 -pre LOAD -text 3. req -engine opensc -new -key 45 -keyform engine -x509 -out mycert.pem 4. enter "." for everything, but your name and email. crash. opensc gives a generic reader error. Actual Results: Error: Peer closed connection card.c:203:sc_transceive: Unable to transmit: Generic reader error card.c:238:sc_transmit_apdu: transceive() failed: Generic reader error iso7816.c:579:iso7816_get_response: APDU transmit failed: Generic reader error card.c:279:sc_transmit_apdu: returning with: Generic reader error ... in strace I see: write(2, "ifdhandler: stack smashing attack in function do_transact", 57) = 57 write(2, "()\n", 3) = 3 socket(PF_UNIX, SOCK_DGRAM, 0) = 6 sendto(6, "<2>ifdhandler: stack smashing attack in function do_transact", 60, 0, {sa_family=AF_UNIX, path="/dev/log"}, 110) = -1 EPROTOTYPE (Protocol wrong type for socket) Expected Results: not crash, work as usual. compiled with -fno-stack-protection openct is fine. I'm also asking on gnetoo-hardened for suggestions how to fix the code, so stack protector will not issue a false alarm. but in the meantime it would be nice, if the ebuild turned of the stack protection itself, if that is possible. ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://gentoo.mirror.sdv.fr http://gentoo.inode.at/ http://ftp.easynet.nl/mirror/gentoo/ http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/" MAKEOPTS="-j2" PKGDIR="/usr/portage//packages/x86/" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage/" PORTDIR_OVERLAY="" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X acpi adns alsa apache2 arts avi berkdb cdr cjk crypt cups doc dvd dvdr encode esd fam flac freewnn gd gdbm gif gnome gstreamer gtk gtk2 hardened icq imagemagick imap imlib jpeg kde lesstif libwww mad mmx mozilla mpeg ncurses nls oggvorbis opengl pam pcmcia perl pic pie png pnp postgres python qt readline sdl sse ssl tcpd tetex tiff truetype unicode usb videos wmf x86 xml xml2 xmms zlib"
umm, isnt that a sign of bad code ?
you didnt post all of `emerge info`
please post the output of. emerge -V info
root@earth:~# emerge -V info Portage 2.0.50-r11 (x86, gcc-3.3.4, glibc-2.3.3.20040420-r1, 2.6.9-rc3-bk4)
about "bad code": well, I didn't write it. but if you can give me some clue, what is wrong with the code and how to fix it, I will give it a try.
well, when a package starts killing itself with stack-protector, there are two possibilities ... the toolchain could be generating bad code and thus should be fixed the package has bad code and should be fixed the solution in these cases isnt to just filter flags and ignore it ;) i'll let the hardened guys review this since they're more intimate with SSP
Additional information about this buffer overflow can be found in this email from The PaX Team: http://article.gmane.org/gmane.linux.gentoo.hardened/1231
[0] pappy@PAPILLON openct $ cvs_rdiff openct-0.5.0.ebuild Index: gentoo-x86/dev-libs/openct/openct-0.5.0.ebuild diff -u gentoo-x86/dev-libs/openct/openct-0.5.0.ebuild:1.7 gentoo-x86/dev-libs/openct/openct-0.5.0.ebuild:1.8 --- gentoo-x86/dev-libs/openct/openct-0.5.0.ebuild:1.7 Tue Oct 12 01:40:16 2004 +++ gentoo-x86/dev-libs/openct/openct-0.5.0.ebuild Wed Oct 13 16:28:33 2004 @@ -1,8 +1,8 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/openct/openct-0.5.0.ebuild,v 1.7 2004/10/12 01:40:16 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openct/openct-0.5.0.ebuild,v 1.8 2004/10/13 16:28:33 pappy Exp $ -inherit eutils +inherit eutils flag-o-matic DESCRIPTION="OpenCT is a library for accessing smart card terminals." HOMEPAGE="http://opensc.org/" @@ -25,6 +25,7 @@ } src_compile() { + filter-flags "-fstack-protector" econf --localstatedir=/var || die emake || die } Please test and comply. -Alex
considering the problem looks like a valid one (bad code in openct), isnt this exactly what we dont want to be doing ? ignoring the problem ?
this bug report was written on the assumption that it is a false positive, and thus we need to work around the issue till gcc is fixed. the function mentioned in the kill messge is fine, I can't see anything wrong. there could a problem in a function called by this one, even deeper. I will investigate. so far I don't know in detail if there is a problem or not. I got some feedback from the hardenend team, need to evaluate that to find out if there is a problem somewhere inside the openct code.
based on comment #7 I'd have to agree that it would be better to get to the root of the problem here. Think we may want to get in contact with gentoo's maintainer and upstream. Somebody that uses this program should get in contact with the upstream author(s) and have them review this bug. http://opensc.org/ From looking at the ChangeLog it appears as if the default maintainer would be you Mike as you did the initial commit. The contact info looks like it can be found here http://opensc.org/files/doc/openct.html#openct.about Reassigning bug to Mike with hardened on the CC: list
openct was written mostly by Olaf Kirch and some parts by Andreas Jellinghaus (thats me) and Chaskiel Grundman wrote a driver unreleated to this issue. Unfortunatly Olaf has currently no time to for OpenCT so I'm more or less the upstream contact.
i dont have the aforementioned hardware (or really any card reading hardware), so is there a way for me to replicate this ?
also, you may want to try gcc-3.4.2-r2 with USE=boundschecking ... it can produce some helpful debug code ...
fixed in openct 0.6.2. please update.
i take it opensc.org is down atm ?
sorry, some firewall blocks our dns server resulting in a no dns info available. it is being worked on. for the time being, please use http://opensc.hut.fi/
now in portage, thanks also, have you thought about including the usb.usermap in the openct tarball ? it's in openct's FILESDIR
what is the advantage of the usb.usermap over the usermap shipped with openct? from the new documentation/QUICKSTART (or whatever it was called): # cp etc/hotplug.openct /etc/hotplug/usb/openct # cp etc/openct.usermap /etc/hotplug/usb/openct.usermap
