Summary: | media-video/hasciicam-1.0 buffer overflow detected by _FORTIFY_SOURCE | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Ivan c00kiemon5ter Kanakarakis <ivan.kanak> |
Component: | Current packages | Assignee: | Gentoo Media-video project <media-video> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | flameeyes, hardened, stefano.priore |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 259417 | ||
Attachments: |
Build log
Patch to hasciicam-1.0.ebuild to fix snprintf overflow |
Description
Ivan c00kiemon5ter Kanakarakis
2010-01-22 23:51:05 UTC
Please attach everything here and link to any other site. HasciiCam 1.0 - (h)ascii 4 the masses! - http://ascii.dyne.org (c)2000-2006 Denis Roio < jaromil @ dyne.org > watch out for the (h)ASCII ROOTS Device detected is /dev/video0 USB20 Camera 1 channels detected max size w[640] h[480] - min size w[48] h[32] Video capabilities: VID_TYPE_CAPTURE can capture to memory memory map of 4 frames: 1851392 bytes Offset of frame 0: 0 Offset of frame 1: 462848 Offset of frame 2: 925696 Offset of frame 3: 1388544 error in ioctl VIDIOCMCAPTURE: Invalid argument*** buffer overflow detected ***: hasciicam terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x37)[0x7f97d08e9ec7] /lib/libc.so.6(+0xe4d20)[0x7f97d08e7d20] /lib/libc.so.6(+0xe432b)[0x7f97d08e732b] /lib/libc.so.6(__snprintf_chk+0x7a)[0x7f97d08e71fa] hasciicam[0x401f82] hasciicam[0x403331] /lib/libc.so.6(__libc_start_main+0xfd)[0x7f97d0821bbd] hasciicam[0x401ab9] ======= Memory map: ======== 00400000-00408000 r-xp 00000000 08:02 132842 /usr/bin/hasciicam 00607000-00608000 r--p 00007000 08:02 132842 /usr/bin/hasciicam 00608000-00609000 rw-p 00008000 08:02 132842 /usr/bin/hasciicam 00609000-0060a000 rw-p 00000000 00:00 0 00d7e000-00d9f000 rw-p 00000000 00:00 0 [heap] 7f97cf5ba000-7f97cf5d0000 r-xp 00000000 08:02 672532 /lib64/libgcc_s.so.1 7f97cf5d0000-7f97cf7cf000 ---p 00016000 08:02 672532 /lib64/libgcc_s.so.1 7f97cf7cf000-7f97cf7d0000 r--p 00015000 08:02 672532 /lib64/libgcc_s.so.1 7f97cf7d0000-7f97cf7d1000 rw-p 00016000 08:02 672532 /lib64/libgcc_s.so.1 7f97cf7d1000-7f97cf7d3000 r-xp 00000000 08:02 525775 /lib64/libdl-2.11.so 7f97cf7d3000-7f97cf9d3000 ---p 00002000 08:02 525775 /lib64/libdl-2.11.so 7f97cf9d3000-7f97cf9d4000 r--p 00002000 08:02 525775 /lib64/libdl-2.11.so 7f97cf9d4000-7f97cf9d5000 rw-p 00003000 08:02 525775 /lib64/libdl-2.11.so 7f97cf9d5000-7f97cf9da000 r-xp 00000000 08:02 43926 /usr/lib64/libXdmcp.so.6.0.0 7f97cf9da000-7f97cfbd9000 ---p 00005000 08:02 43926 /usr/lib64/libXdmcp.so.6.0.0 7f97cfbd9000-7f97cfbda000 r--p 00004000 08:02 43926 /usr/lib64/libXdmcp.so.6.0.0 7f97cfbda000-7f97cfbdb000 rw-p 00005000 08:02 43926 /usr/lib64/libXdmcp.so.6.0.0 7f97cfbdb000-7f97cfbdd000 r-xp 00000000 08:02 36093 /usr/lib64/libXau.so.6.0.0 7f97cfbdd000-7f97cfddc000 ---p 00002000 08:02 36093 /usr/lib64/libXau.so.6.0.0 7f97cfddc000-7f97cfddd000 r--p 00001000 08:02 36093 /usr/lib64/libXau.so.6.0.0 7f97cfddd000-7f97cfdde000 rw-p 00002000 08:02 36093 /usr/lib64/libXau.so.6.0.0 7f97cfdde000-7f97cfdf9000 r-xp 00000000 08:02 18316 /usr/lib64/libxcb.so.1.1.0 7f97cfdf9000-7f97cfff8000 ---p 0001b000 08:02 18316 /usr/lib64/libxcb.so.1.1.0 7f97cfff8000-7f97cfff9000 r--p 0001a000 08:02 18316 /usr/lib64/libxcb.so.1.1.0 7f97cfff9000-7f97cfffa000 rw-p 0001b000 08:02 18316 /usr/lib64/libxcb.so.1.1.0 7f97cfffa000-7f97d012d000 r-xp 00000000 08:02 43550 /usr/lib64/libX11.so.6.3.0 7f97d012d000-7f97d032d000 ---p 00133000 08:02 43550 /usr/lib64/libX11.so.6.3.0 7f97d032d000-7f97d032e000 r--p 00133000 08:02 43550 /usr/lib64/libX11.so.6.3.0 7f97d032e000-7f97d0333000 rw-p 00134000 08:02 43550 /usr/lib64/libX11.so.6.3.0 7f97d0333000-7f97d03b3000 r-xp 00000000 08:02 525764 /lib64/libm-2.11.so 7f97d03b3000-7f97d05b2000 ---p 00080000 08:02 525764 /lib64/libm-2.11.so 7f97d05b2000-7f97d05b3000 r--p 0007f000 08:02 525764 /lib64/libm-2.11.so 7f97d05b3000-7f97d05b4000 rw-p 00080000 08:02 525764 /lib64/libm-2.11.so 7f97d05b4000-7f97d05fe000 r-xp 00000000 08:02 525759 /lib64/libncurses.so.5.7 7f97d05fe000-7f97d07fd000 ---p 0004a000 08:02 525759 /lib64/libncurses.so.5.7 7f97d07fd000-7f97d0801000 r--p 00049000 08:02 525759 /lib64/libncurses.so.5.7 7f97d0801000-7f97d0802000 rw-p 0004d000 08:02 525759 /lib64/libncurses.so.5.7 7f97d0802000-7f97d0803000 rw-p 00000000 00:00 0 7f97d0803000-7f97d0953000 r-xp 00000000 08:02 525817 /lib64/libc-2.11.so 7f97d0953000-7f97d0b52000 ---p 00150000 08:02 525817 /lib64/libc-2.11.so 7f97d0b52000-7f97d0b56000 r--p 0014f000 08:02 525817 /lib64/libc-2.11.so 7f97d0b56000-7f97d0b57000 rw-p 00153000 08:02 525817 /lib64/libc-2.11.so 7f97d0b57000-7f97d0b5c000 rw-p 00000000 00:00 0 7f97d0b5c000-7f97d0b75000 r-xp 00000000 08:02 81556 /usr/lib64/libaa.so.1.0.4 7f97d0b75000-7f97d0d75000 ---p 00019000 08:02 81556 /usr/lib64/libaa.so.1.0.4 7f97d0d75000-7f97d0d77000 r--p 00019000 08:02 81556 /usr/lib64/libaa.so.1.0.4 7f97d0d77000-7f97d0d78000 rw-p 0001b000 08:02 81556 /usr/lib64/libaa.so.1.0.4 7f97d0d78000-7f97d0d7a000 rw-p 00000000 00:00 0 7f97d0d7a000-7f97d0d98000 r-xp 00000000 08:02 525813 /lib64/ld-2.11.so 7f97d0dac000-7f97d0f70000 rw-s 00000000 00:0d 1477 /dev/video0 7f97d0f70000-7f97d0f76000 rw-p 00000000 00:00 0 7f97d0f96000-7f97d0f97000 rw-p 00000000 00:00 0 7f97d0f97000-7f97d0f98000 r--p 0001d000 08:02 525813 /lib64/ld-2.11.so 7f97d0f98000-7f97d0f99000 rw-p 0001e000 08:02 525813 /lib64/ld-2.11.so 7f97d0f99000-7f97d0f9a000 rw-p 00000000 00:00 0 7fffa0a95000-7fffa0aaa000 rw-p 00000000 00:00 0 [stack] 7fffa0bff000-7fffa0c00000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted Oops, didn't saw they you pasted it yourself. Created attachment 248128 [details]
Build log
It is also detected at build time.
Created attachment 248581 [details, diff]
Patch to hasciicam-1.0.ebuild to fix snprintf overflow
This patch changes the snprintf statement to use sizeof() to compute the buffer size, instead of specifying a value larger than the actual buffer. It has been confirmed to modify the code, but the code has not been compiled to verify it works.
I've tested the proposed patch on x86 and amd64, and it compiles... unfortunately the program crashes on amd64 with the following message: HasciiCam 1.0 - (h)ascii 4 the masses! - http://ascii.dyne.org (c)2000-2006 Denis Roio < jaromil @ dyne.org > watch out for the (h)ASCII ROOTS Device detected is /dev/video0 USB 2.0 Camera 1 channels detected max size w[640] h[480] - min size w[48] h[32] Video capabilities: VID_TYPE_CAPTURE can capture to memory !! error in ioctl VIDIOCGMBUF: : Invalid argument while under x86 it fails to communicate with the videocam, endlessly printing the following error: . . . error in ioctl VIDIOCSYNC: : Invalid argument ^Cinterrupt caught, exiting. XIO: fatal IO error 22 (Invalid argument) on X server ":0.0" after 352 requests (352 known processed) with 3 events remaining. (In reply to comment #5) > I've tested the proposed patch on x86 and amd64, and it compiles... > unfortunately the program crashes on amd64 with the following message: Did it work before the patch? I've last tested hasciicam with v4l1 driver, qc-usb-messenger years ago. It may be it doesn't work at all with current kernel v4l2 drivers and as such, should be lastrited. Probably you're right... I want to contact the author to see if he's willing to port the program to v4l2. This is fixed with 1.1.1, which also supports v4l2. |