Bug 425184

Summary:	net-ftp/netkit-tftp-0.17-r7 has a buffer overflow
Product:	Gentoo Linux	Reporter:	Robin Kauffman <robink>
Component:	[OLD] Core system	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	357083
Bug Blocks:
Attachments:	emerge --info for emily (AMD64 system, 10.0 profile, GCC 4.7.1, glibc 2.16.0) =net-ftp/netkit-tftp-0.17-r7 backtrace (with debugging symbols)

Description Robin Kauffman 2012-07-07 18:38:25 UTC

Created attachment 317518 [details]
emerge --info for emily (AMD64 system, 10.0 profile, GCC 4.7.1, glibc 2.16.0)

After upgrading my sys-libs/glibc to 2.16.0 and my GCC to 4.7.1 (it's set as default compiler, not just merged), netkit-tftp will abort on suspected buffer overflow when attempting to put a file of any size to a host that is either present on the network or not there.  From what I can tell, it aborts before even connecting (or at least sending data) to the remote machine.  Here is the log:

robink@emily ~ $ tftp 192.168.1.20
tftp> mode binary
tftp> put u-boot.bin
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fdc1a61e037]
/lib64/libc.so.6(+0xfb030)[0x7fdc1a61c030]
tftp(sendfile+0xaf)[0x401aaf]
tftp[0x40285a]
tftp[0x40153f]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fdc1a545985]
tftp[0x40158d]
======= Memory map: ========
00400000-00405000 r-xp 00000000 00:0e 39042669                           /usr/bin/tftp
00604000-00605000 r--p 00004000 00:0e 39042669                           /usr/bin/tftp
00605000-00606000 rw-p 00005000 00:0e 39042669                           /usr/bin/tftp
00606000-00607000 rw-p 00000000 00:00 0 
013bb000-013dc000 rw-p 00000000 00:00 0                                  [heap]
7fdc19ef6000-7fdc19f0b000 r-xp 00000000 00:0e 38604429                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.7.1/libgcc_s.so.1
7fdc19f0b000-7fdc1a10a000 ---p 00015000 00:0e 38604429                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.7.1/libgcc_s.so.1
7fdc1a10a000-7fdc1a10b000 r--p 00014000 00:0e 38604429                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.7.1/libgcc_s.so.1
7fdc1a10b000-7fdc1a10c000 rw-p 00015000 00:0e 38604429                   /usr/lib64/gcc/x86_64-pc-linux-gnu/4.7.1/libgcc_s.so.1
7fdc1a10c000-7fdc1a118000 r-xp 00000000 00:0e 38888413                   /lib64/libnss_files-2.16.so
7fdc1a118000-7fdc1a317000 ---p 0000c000 00:0e 38888413                   /lib64/libnss_files-2.16.so
7fdc1a317000-7fdc1a318000 r--p 0000b000 00:0e 38888413                   /lib64/libnss_files-2.16.so
7fdc1a318000-7fdc1a319000 rw-p 0000c000 00:0e 38888413                   /lib64/libnss_files-2.16.so
7fdc1a319000-7fdc1a31f000 r-xp 00000000 00:0e 38888414                   /lib64/libnss_db-2.16.so
7fdc1a31f000-7fdc1a51f000 ---p 00006000 00:0e 38888414                   /lib64/libnss_db-2.16.so
7fdc1a51f000-7fdc1a520000 r--p 00006000 00:0e 38888414                   /lib64/libnss_db-2.16.so
7fdc1a520000-7fdc1a521000 rw-p 00007000 00:0e 38888414                   /lib64/libnss_db-2.16.so
7fdc1a521000-7fdc1a6bc000 r-xp 00000000 00:0e 38888425                   /lib64/libc-2.16.so
7fdc1a6bc000-7fdc1a8bc000 ---p 0019b000 00:0e 38888425                   /lib64/libc-2.16.so
7fdc1a8bc000-7fdc1a8c0000 r--p 0019b000 00:0e 38888425                   /lib64/libc-2.16.so
7fdc1a8c0000-7fdc1a8c2000 rw-p 0019f000 00:0e 38888425                   /lib64/libc-2.16.so
7fdc1a8c2000-7fdc1a8c6000 rw-p 00000000 00:00 0 
7fdc1a8c6000-7fdc1a8e7000 r-xp 00000000 00:0e 38888426                   /lib64/ld-2.16.so
7fdc1aa8d000-7fdc1aa90000 rw-p 00000000 00:00 0 
7fdc1aae2000-7fdc1aae7000 rw-p 00000000 00:00 0 
7fdc1aae7000-7fdc1aae8000 r--p 00021000 00:0e 38888426                   /lib64/ld-2.16.so
7fdc1aae8000-7fdc1aae9000 rw-p 00022000 00:0e 38888426                   /lib64/ld-2.16.so
7fdc1aae9000-7fdc1aaea000 rw-p 00000000 00:00 0 
7fff16a3a000-7fff16a5c000 rw-p 00000000 00:00 0                          [stack]
7fff16b80000-7fff16b81000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

The file doesn't matter, and the mode doesn't matter (can be ascii or binary, used binary mode because that's what I mostly use with tftp).

I can post gdb or strace output if desired, I just don't know what I'd be looking for so if you could give me a suggestion as to what to try to trigger or grep for, it would be much appreciated.

Emerge info in next comment, as an attachment, and online at http://rms3.creosotehill.org/mirror/emerge_info_emily_2012070701.txt .  If there is any more information I can provide, please let me know and I will gladly add it to this bug.

Comment 1 Robin Kauffman 2012-07-07 18:40:13 UTC

emerge --info won't fit in a comment, here's the top part:


Portage 2.2.0_alpha84 (default/linux/amd64/10.0, gcc-4.7.1, unavailable, 3.4.0-g4c992ac x86_64)
=================================================================
System uname: Linux-3.4.0-g4c992ac-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5600+-with-gentoo-2.0.3
Timestamp of tree: Sat, 07 Jul 2012 08:15:01 +0000
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:      4.1_p9
dev-java/java-config: 2.1.11-r3::progress
dev-lang/python:      2.4.6, 2.5.4-r4, 2.6.7-r2, 2.7.2-r3, 3.1.4-r3, 3.2.2, 3.3_pre20110410::python
dev-util/ccache:      2.4-r7
dev-util/cmake:       2.8.6-r4
dev-util/pkgconfig:   0.26
sys-apps/baselayout:  2.0.3
sys-apps/openrc:      0.9.9.3
sys-apps/sandbox:     2.5
sys-devel/autoconf:   2.13, 2.68
sys-devel/automake:   1.5, 1.7.9-r1, 1.9.6-r3, 1.10.3, 1.11.4
sys-devel/binutils:   2.22-r1
sys-devel/gcc:        4.3.6-r1, 4.4.6-r1, 4.5.3-r2, 4.6.3, 4.7.1
sys-devel/gcc-config: 1.6
sys-devel/libtool:    1.3.5, 2.4-r1
sys-devel/make:       3.82-r1
sys-libs/glibc:       2.16.0

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2012-07-08 14:13:58 UTC

(In reply to comment #1)
> emerge --info won't fit in a comment, here's the top part:

Attach as a file, then.

Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev

2012-07-08 16:44:03 UTC

I can reproduce, but there is no warning about it either, fun!

Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev

2012-07-08 16:49:30 UTC

I'm having trouble getting to the full backtrace on my tinderbox, if you can get a full backtrace according to http://www.gentoo.org/proj/en/qa/backtraces.xml it would be helpful.

Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev

2012-07-08 17:03:11 UTC

Okay I was able to reproduce it multiple times, with GCC 4.6 and glibc-2.15 as well, so it's definitely not tied to those two systems.

Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev

2012-07-08 17:42:17 UTC

Fixed with a patch... but I think I'll last rite this anyway... any reason you're not using tftp-hpa?

Comment 7 Robin Kauffman 2012-07-08 17:52:36 UTC

tftp-hpa doesn't talk to my RouterStation Pro's bootloader (I'm not talking U-Boot, I'm talking the bootloader that lets you load the actual bootloader to be used, along with a kernel and initrd/rootfs).  It is irreplaceable (you are not allowed to overwrite it, with good reason, it is the only way to recover a bricked OS deployment, and if you brick *it*, well...) and were it rewritable the image is not publicly available (someone would have to write one, or sneak it out of Ubiquiti's software development storage pool).  *So*, netkit-tftp (when it works) is my preferred tftp client for talking to devices, because it seems to understand all the quirks of closed-source and free software TFTP servers alike, and never fails to (eventually) get a file pushed.  I can try tftp-hpa again, but it never seemed able to push a file to the Ubiquiti BIOS' bootloader, which is what I'm trying to do *right now*.

Comment 8 Robin Kauffman 2012-07-08 17:55:29 UTC

Created attachment 317592 [details]
=net-ftp/netkit-tftp-0.17-r7 backtrace (with debugging symbols)

Also, I know you fixed this, but here's my backtrace attached as a file.

Lastly, I just checked sources.gentoo.org (gentoo-x86/net-ftp/netkit-tftp/), and the mtime for netkit-tftp-0.17-r7.ebuild is still 15 months ago.  Would you be willing to attach your patch or push it to either the tree or an overlay I could pull it from?  Thank you very much, and I'm sorry for all the trouble :-)

Comment 9 Robin Kauffman 2012-07-08 18:00:27 UTC

Oops, failed to hit reload.  Sorry, I see it and will pull/install it.  If you don't hear from me it works and this bug can remain closed.

Comment 10 SpanKY gentoo-dev

2012-07-09 12:51:59 UTC

that patch is incorrect.  simple fix:
 rm include/arpa/tftp.h

Comment 11 SpanKY gentoo-dev

2012-07-22 20:27:00 UTC

should be all set now in the tree; thanks for the report!

Commit message: Fix fortify errors for real
http://sources.gentoo.org/net-ftp/netkit-tftp/netkit-tftp-0.17-r8.ebuild?r1=1.1&r2=1.2