890985 – sys-process/numad-0.5-r4: buffer overflow in get_daemon_pid(), aborts on FORTIFY_SOURCE=3 system

Bug 890985 - sys-process/numad-0.5-r4: buffer overflow in get_daemon_pid(), aborts on FORTIFY_SOURCE=3 system

Summary: sys-process/numad-0.5-r4: buffer overflow in get_daemon_pid(), aborts on FOR...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	847148 891009
	Show dependency tree

Reported:	2023-01-15 21:05 UTC by Georgy Yakovlev
Modified:	2023-09-24 20:43 UTC (History)
CC List:	1 user (show)

See Also:	https://bugzilla.redhat.com/show_bug.cgi?id=2210474 https://bugzilla.redhat.com/show_bug.cgi?id=2215671 https://bugzilla.redhat.com/show_bug.cgi?id=2214422
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Georgy Yakovlev archtester

2023-01-15 21:05:57 UTC

FORTIFY_SOURCE=3 is new default on hardened profiles.
soon to go stable


(gdb) bt
#0  0x00007fffa1293dbc in ?? () from /usr/lib64/libc.so.6
#1  0x00007fffa1232a3c in raise () from /usr/lib64/libc.so.6
#2  0x00007fffa12143fc in abort () from /usr/lib64/libc.so.6
#3  0x00007fffa12809a0 in ?? () from /usr/lib64/libc.so.6
#4  0x00007fffa13569d0 in __fortify_fail () from /usr/lib64/libc.so.6
#5  0x00007fffa1354390 in __chk_fail () from /usr/lib64/libc.so.6
#6  0x00007fffa1356ea4 in __vsnprintf_chkieee128 () from /usr/lib64/libc.so.6
#7  0x00000002f5932024 in __vsnprintfieee128 (__ap=<optimized out>, __fmt=0x2f59389c8 "Removing out-of-date numad run file because %s doesn't exist\n", __n=1024, __s=<optimized out>) at /usr/include/bits/stdio2.h:68
#8  numad_log (level=level@entry=5, fmt=fmt@entry=0x2f59389c8 "Removing out-of-date numad run file because %s doesn't exist\n") at numad.c:180
#9  0x00000002f59336f8 in get_daemon_pid () at numad.c:806
#10 0x00000002f5937c4c in main (argc=<optimized out>, argv=0x7ffff54c4be8) at numad.c:2124



(gdb) bt full
#0  0x00007fffa1293dbc in ?? () from /usr/lib64/libc.so.6
No symbol table info available.
#1  0x00007fffa1232a3c in raise () from /usr/lib64/libc.so.6
No symbol table info available.
#2  0x00007fffa12143fc in abort () from /usr/lib64/libc.so.6
No symbol table info available.
#3  0x00007fffa12809a0 in ?? () from /usr/lib64/libc.so.6
No symbol table info available.
#4  0x00007fffa13569d0 in __fortify_fail () from /usr/lib64/libc.so.6
No symbol table info available.
#5  0x00007fffa1354390 in __chk_fail () from /usr/lib64/libc.so.6
No symbol table info available.
#6  0x00007fffa1356ea4 in __vsnprintf_chkieee128 () from /usr/lib64/libc.so.6
No symbol table info available.
#7  0x00000002f5932024 in __vsnprintfieee128 (__ap=<optimized out>, __fmt=0x2f59389c8 "Removing out-of-date numad run file because %s doesn't exist\n", __n=1024, __s=<optimized out>) at /usr/include/bits/stdio2.h:68
No locals.
#8  numad_log (level=level@entry=5, fmt=fmt@entry=0x2f59389c8 "Removing out-of-date numad run file because %s doesn't exist\n") at numad.c:180
        buf = "Sat Jan 14 14:11:40 2023: !\241\377\177\000\000\020<L\365\377\177\000\000\002", '\000' <repeats 15 times>, "H\022N\241\377\177\000\000\000\000\000\000\000\000\000\000p@L\365\377\177\000\000\300@H\241\377\177\000\000\230@L\365\377\177\000\000\377\377\377\377\004D\000D", '\000' <repeats 96 times>...
        ts = 1673734300
        p = <optimized out>
        ap = <optimized out>
#9  0x00000002f59336f8 in get_daemon_pid () at numad.c:806
        pid = 6792
        p = <optimized out>
        fname = "/proc/6792\000\241\377\177\000\000\200\004\f\034\003\000\000\000\000>L\365\377\177\000\000\350KL\365\377\177\000\000\224\027'\241\377\177\000\000\000rB\241\377\177\000\000\000\000\000\000\000\000\000\000\350KL\365\377\177\000\000\200\004\f\034\003\000\000\000\000\b\000\000\000\000\000\000\200BL\365\377\177\000\000\000\000\000\000\000\000\000\000p;\223\365\002\000\000\000\000\177\225\365\002\000\000\000\000\000H\241\377\177\000\000\000\000\000\000\000\000\000\000x\nH\241\377\177\000\000H?L\365\377\177\000\000X?L\365\377\177\000\000\240\026N\241\377\177\000\000\377\377\377\377", '\000' <repeats 14 times>, "N\241\377\177\000"
        fd = <optimized out>
        buf = "6792\nagesize:       2048 kB\n\000kB\n\000*N\241\377\177\000\000\000\000\000\000\000\000\000\000\030\nH\241\377\177\000\000\220@L\365\377\177\000\000_\232\177g\000\000\000\000\360?L\365\377\177\000\000\002D\002B\000\000\000\000|\215I\241\377\177\000\000\000\177N\241\377\177", '\000' <repeats 18 times>, "X?L\365\377\177\000\000\070\006H\241\377\177\000\000H?L\365\377\177\000\000\000\000\000\000\000\000\000\000\002\000\000\000\000\000\000\000\000\000\003\000\000\000\000\000P?L\365\377\177\000\000\000\000\000\000\000\000\000\000<\352\062\241\377\177\000\000\260\nN\241\377\177\000\000"...
        bytes = <optimized out>
#10 0x00000002f5937c4c in main (argc=<optimized out>, argv=0x7ffff54c4be8) at numad.c:2124
        opt = <optimized out>
        list_pid = 140737308806120
        p = 0x0
        d_flag = 0
        i_flag = 1
        l_flag = 0
        p_flag = 0
        r_flag = 0
        S_flag = 0
        u_flag = 0
        v_flag = 0
        w_flag = 0
        daemon_pid = <optimized out>
 ```

Comment 1 Georgy Yakovlev archtester

2023-01-15 21:06:11 UTC

Portage 3.0.43 (python 3.11.1-final-0, default/linux/ppc64le/17.0/desktop/gnome/systemd/merged-usr, gcc-12, glibc-2.36-r5, 5.15.85-talos64 ppc64le)
=================================================================
                         System Settings
=================================================================
System uname: Linux-5.15.85-talos64-ppc64le-POWER9,_altivec_supported-with-glibc2.36
KiB Mem:   531976576 total, 467025216 free
KiB Swap:   16777088 total,  16777088 free
Timestamp of repository gentoo: Sun, 15 Jan 2023 20:32:08 +0000
Head commit of repository gentoo: d8e8f4edd4a55f3cb1c9dbc38032088543612800

Head commit of repository gyakovlev: 0856fcd1aa76ea80fa8cdebe81d243521ef775e5

sh bash 5.2_p15-r1
ld GNU ld (Gentoo 2.39 p5) 2.39.0
app-misc/pax-utils:        1.3.6-r1::gentoo
app-shells/bash:           5.2_p15-r1::gentoo
dev-java/java-config:      2.3.1::gentoo
dev-lang/perl:             5.36.0-r1::gentoo
dev-lang/python:           3.10.9::gentoo, 3.11.1::gentoo
dev-lang/rust:             1.66.1::gentoo
dev-util/cmake:            3.25.1::gentoo
dev-util/meson:            1.0.0::gentoo
sys-apps/baselayout:       2.9::gentoo
sys-apps/sandbox:          2.29::gentoo
sys-apps/systemd:          252.4::gentoo
sys-devel/autoconf:        2.13-r7::gentoo, 2.71-r5::gentoo
sys-devel/automake:        1.16.5::gentoo
sys-devel/binutils:        2.39-r4::gentoo
sys-devel/binutils-config: 5.5::gentoo
sys-devel/clang:           15.0.6-r1::gentoo
sys-devel/gcc:             12.2.1_p20221231::gentoo
sys-devel/gcc-config:      2.10::gentoo
sys-devel/libtool:         2.4.7-r1::gentoo
sys-devel/lld:             15.0.6::gentoo
sys-devel/llvm:            15.0.6-r1::gentoo
sys-devel/make:            4.4::gentoo
sys-kernel/linux-headers:  5.15-r3::gentoo (virtual/os-headers)
sys-libs/glibc:            2.36-r5::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/gentoo.git
    priority: -1000
    volatile: False
    sync-git-verify-commit-signature: true
    sync-git-clone-extra-opts: -b stable -c gc.pruneExpire=now -c gc.reflogExpire=now -c gc.reflogExpireUnreachable=now -c gc.rerereResolved=0 -c gc.rerereUnresolved=0

gyakovlev
    location: /var/db/repos/gyakovlev
    sync-type: git
    sync-uri: https://github.com/gyakovlev/gentoo-overlay.git
    masters: gentoo
    volatile: True

Installed sets: @myX, @myapps, @mycompress, @mycontainers, @mydev, @myfonts, @mygnome, @myjava, @mykernel, @mypypy, @mysmartcard, @mysystem, @myutil
ACCEPT_KEYWORDS="ppc64 ~ppc64"
ACCEPT_LICENSE="@FREE"
CBUILD="powerpc64le-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=power9 -ftree-vectorize -pipe -frecord-gcc-switches -fdiagnostics-show-option -fdiagnostics-color=always"
CHOST="powerpc64le-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d"
CXXFLAGS="-O2 -mcpu=power9 -ftree-vectorize -pipe -frecord-gcc-switches -fdiagnostics-show-option -fdiagnostics-color=always"
DISTDIR="/var/cache/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner --ask-enter-invalid --jobs=64 --load-average 170 --quiet-build"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-O2 -mcpu=power9 -ftree-vectorize -pipe -frecord-gcc-switches -fdiagnostics-show-option -fdiagnostics-color=always"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live clean-logs compressdebug config-protect-if-modified distlocks ebuild-locks fakeroot fixlafiles ipc-sandbox mount-sandbox multilib-strict network-sandbox news parallel-fetch parallel-install pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -mcpu=power9 -ftree-vectorize -pipe -frecord-gcc-switches -fdiagnostics-show-option -fdiagnostics-color=always"
GENTOO_MIRRORS="https://gentoo.osuosl.org/"
INSTALL_MASK="  /etc/cron.daily/logrotate /etc/cron.daily/man-db /etc/conf.d /etc/init.d /etc/runlevels /usr/share/locale/* -/usr/share/locale/en -/usr/share/locale/en@IPA -/usr/share/locale/en@boldquot -/usr/share/locale/en@quot -/usr/share/locale/en@shaw -/usr/share/locale/en_GB -/usr/share/locale/en_GB.UTF-8 -/usr/share/locale/en_US -/usr/share/locale/en_US.UTF-8 -/usr/share/locale/locale.alias /usr/share/man/* -/usr/share/man/cat* -/usr/share/man/man* "
LANG="en_US.UTF-8"
LDFLAGS="-O2 -mcpu=power9 -ftree-vectorize -pipe -frecord-gcc-switches -fdiagnostics-show-option -fdiagnostics-color=always -Wl,-O1 -Wl,--as-needed -Wl,-z,relro,-z,now -Wl,--defsym=__gentoo_check_ldflags__=0"
LEX="flex"
LINGUAS="en"
MAKEOPTS="--jobs=140 --load-average=170"
PKGDIR="/var/cache/binpkgs"
PORTAGE_BZIP2_COMMAND="lbzip2"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="X a52 aac acl alsa audit avif bluetooth bluray branding bzip2 cairo caps cdda cddb cdr cli colord crypt cups daap dbus dist-kernel dri dts dvd dvdr eds encode evo exif filecaps flac fontconfig fortran freetype gdbm geolocation gif gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk gui hardened heif iconv icu ieee-long-double introspection ios ipv6 jpeg lcms libglvnd libnotify libsecret libzfs lm-sensors lto lz4 lzma mad mng modemmanager mp3 mp4 mpeg mtp nautilus ncurses networkmanager nptl numa ogg opengl openmp pam pango pcre pdf pgo pipewire plymouth png policykit ppc64 ppds pulseaudio readline scanner screencast seccomp smartcard sound spell ssl startup-notification svg systemd test-rust tiff tpm tracker truetype udev udisks unicode upower usb utempter v4l vaapi vala vim-syntax vorbis vulkan wayland webkit webp wifi wxwidgets x264 xattr xcb xft xinerama xml xscreensaver xv xvid zeroconf zfs zlib zstd" ADA_TARGET="gnat_2021" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" CAMERAS="fuji ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_PPC="altivec vsx vsx2 vsx3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linux" L10N="en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="AMDGPU" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_10" PYTHON_TARGETS="python3_10 python3_11" RUBY_TARGETS="ruby31" SANE_BACKENDS="escl" USERLAND="GNU" VIDEO_CARDS="amdgpu ast" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, LC_ALL, LD, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS

=================================================================
                        Package Settings
=================================================================

sys-devel/gcc-12.2.1_p20221231::gentoo was built with the following:
USE="(cxx) default-stack-clash-protection default-znow fortran graphite hardened (ieee-long-double) jit lto nptl openmp pgo (pie) sanitize ssp zstd (-ada) (-cet) (-custom-cflags) -d -debug -doc (-fixed-point) -go (-libssp) (-multilib) -nls -objc -objc++ -objc-gc (-pch) -systemtap -test -valgrind -vanilla (-vtv)"
CFLAGS="-mcpu=power9 -pipe -fdiagnostics-show-option -fdiagnostics-color=always -O2"
CXXFLAGS="-mcpu=power9 -pipe -fdiagnostics-show-option -fdiagnostics-color=always -O2"
FEATURES="strict mount-sandbox binpkg-logs sfperms binpkg-dostrip ebuild-locks unknown-features-warn compressdebug fixlafiles clean-logs parallel-install ipc-sandbox network-sandbox binpkg-multi-instance usersandbox sandbox buildpkg-live parallel-fetch distlocks splitdebug usersync config-protect-if-modified unmerge-logs news xattr userpriv protect-owned multilib-strict qa-unresolved-soname-deps binpkg-docompress assume-digests fakeroot unmerge-orphans pid-sandbox preserve-libs userfetch"
LDFLAGS="-mcpu=power9 -pipe -fdiagnostics-show-option -fdiagnostics-color=always -Wl,-O1 -Wl,--as-needed -Wl,-z,relro,-z,now -Wl,--defsym=__gentoo_check_ldflags__=0"

Comment 2 Larry the Git Cow gentoo-dev

2023-01-15 22:53:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3fb47a688395b40a6cdb5927dce68be79555d62c

commit 3fb47a688395b40a6cdb5927dce68be79555d62c
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2023-01-15 22:42:19 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2023-01-15 22:50:05 +0000

    sys-process/numad: add 0.5_p20180531
    
    add a non-ancient version of numad. We take current stable from Fedora
    and add just couple of commits on top, nothing major.
    current gentoo versions do not even support cgroupv2 and crash on
    startup.
    
    remove conf file. systemd unit no longer reads it, systemd users can use
    'systemctl edit numad.service' to override args as needed.
    openrc file uses conf.d and never used conf file.
    
    add ppc64le patch where node ids can be sparse.
    
    add temporary F_S=3 workaround until #890985 is solved.
    
    Bug: https://bugs.gentoo.org/890985
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 sys-process/numad/Manifest                         |  1 +
 .../files/numad-0.5-fix-sparse-node-ids.patch      | 53 ++++++++++++++++++++
 sys-process/numad/numad-0.5_p20180531.ebuild       | 56 ++++++++++++++++++++++
 3 files changed, 110 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2023-09-24 20:43:15 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddd56d6a0ab0ceee1de2ef95c3d88e1d3e780c49

commit ddd56d6a0ab0ceee1de2ef95c3d88e1d3e780c49
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2023-09-24 20:14:31 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2023-09-24 20:42:05 +0000

    sys-process/numad: fix buffer overflow, remove workaround.
    
    Closes: https://bugs.gentoo.org/890985
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../files/0001-numad_log-fix-buffer-overflow.patch | 25 ++++++++++++++++++++++
 ...531-r1.ebuild => numad-0.5_p20180531-r2.ebuild} | 10 ++++-----
 2 files changed, 29 insertions(+), 6 deletions(-)