Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 358435

Summary: x11-libs/libfm: stack-smashing on hardened-amd64
Product: Gentoo Linux Reporter: Christian Apeltauer <c.apeltauer>
Component: HardenedAssignee: Markos Chandras (RETIRED) <hwoarang>
Status: RESOLVED TEST-REQUEST    
Severity: normal CC: hardened, nikoli, vina
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: output of cave info libfm
bugfix to type inconsistency in _fm_archiver_init

Description Christian Apeltauer 2011-03-11 18:36:26 UTC 
When calling pcmanfm is called, the application stops with a stack-smashing on startup; said stack-smashing happens when returning from the function 

_fm_archiver_init

in base/fm-archiver.c belonging to x11-libs/libfm. The stack frame before the crash:
#0  _fm_archiver_init () at base/fm-archiver.c:225
#1  0x0000037f200bbd9d in fm_init (config=0x3d6b829030) at fm.c:59
#2  0x0000037f2099d479 in fm_gtk_init (config=<value optimized out>)
    at fm-gtk.c:26
#3  0x0000003d6b5d29e4 in main (argc=1, argv=0x382dbed9798) at pcmanfm.c:194

As a workaround the file 
/usr/share/libfm/archivers.list
can be deleted and pcmanfm starts up without stack-smashing.
I tried to delete those entries which belong to non-installed archivers, but the stack-smashing still happens.

Reproducible: Always
Comment 1 Christian Apeltauer 2011-03-11 18:37:10 UTC 
Created attachment 265581 [details]
output of cave info libfm
Comment 2 vina 2011-06-23 14:50:47 UTC 
Created attachment 277879 [details, diff]
bugfix to type inconsistency in _fm_archiver_init

The initialization of library libfm contains a type inconsistency on 64bit 
systems, which probably leads to stack corruption (on non-hardened systems)
and shows a stack-smashing attack on hardened systems.

This is due to the following:

  The test program fm-path (test-fm-path.c) initializes libfm
  int main(int argc, char *argv[])                                        // libfm/src/tests/test-fm-path.c
  calls: gboolean fm_init(FmConfig* config)                               // libfm/src/fm.c
  calls: void _fm_archiver_init()                                         // libfm/src/base/fm-archiver.c
         {
           ...
           int n_archivers;
           char** programs = g_key_file_get_groups(kf, &n_archivers);
           ...
         }
  calls: gchar** g_key_file_get_groups(GKeyFile *key_file, gsize *length) // glib/gkeyfile.c

The 32-bit variable 'n_archivers' on the stack of _fm_archiver_init is provided 
to g_key_file_get_groups by reference and assumed to be a 64-bit variable
'length'. g_key_file_get_groups modifies 'length' and thus corrupts the
stack of _fm_archiver_init.

/**********************************************************************/
/* on 64-bit systems in:                                              */
/* /usr/lib64/glib-2.0/include/glibconfig.h                           */
/**********************************************************************/
  typedef unsigned long gsize;
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2011-06-24 08:09:41 UTC 
The patch looks good to me. Is someone willing to notify upstream about that?
Comment 4 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2012-10-10 21:56:41 UTC 
Seems upstream fixed this alreadyi 1.0.1:
http://pcmanfm.git.sourceforge.net/git/gitweb.cgi?p=pcmanfm/libfm;a=commit;h=8972eaaef0bb43491b7578dd3e8c9f14455d1d6a

Hwoarang is the package bumpable? An off by 4 stack overflow may be enough to be exploitable if properly done.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2012-11-06 10:21:12 UTC 
The ebuild is already in the tree. 1.0.2 and 1.1.0. Can you test them?
Comment 6 Christian Apeltauer 2012-11-12 07:11:58 UTC 
Installed now libfm-1.1.0 and it worked oput of the box