Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 67253

Summary: Sylpheed-claws 0.9.12 stack smashing attack in quote_fmtparse
Product: Gentoo Linux Reporter: Flammie Pirinen (RETIRED) <flammie>
Component: Current packagesAssignee: Marius Mauch (RETIRED) <genone>
Status: RESOLVED UPSTREAM    
Severity: normal CC: alfons.clawzilla, colin
Priority: High    
Version: 2004.2   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Test location of stack overrun
one problematic message
New patch
quote_fmt_parse.zip
Re-organise quote_fmt_parse.y so to work with -fstack-protector

Description Flammie Pirinen (RETIRED) gentoo-dev 2004-10-12 11:16:12 UTC 
When trying to reply some messages with Sylpheed claws, that was compiled with -fstack-protector, it dies with following message:

sylpheed-claws: stack smashing attack in function quote_fmtparse()
Interrupted

It doesn't break with all messages, but rather typically with longer threads on mailing lists. I haven't got it dying on any first reply to previously unquoted message at least. Test message I've constantly used is my discussion with Xavier Neys on gentoo-doc-fi mailing list, archived in gmane if it is needed. It seems that the test messages contain both flowed and unflowed message types, gpg signatures and signatures if that matters.

Reproducible: Always
Steps to Reproduce:
1. Open Sylpheed Claws
2. Reply to a message in a longish message thread that contains quotations and possibly quotations of quotations.
3. Watch program die.

Actual Results:  
Stack smashing protection sigaborted program.

Expected Results:  
Work. 

Portage 2.0.51_rc9 (default-linux/x86/2004.2, gcc-3.4.2,
glibc-2.3.4.20040619-r0, 2.6.8-rc2 i686)
=================================================================
System uname: 2.6.8-rc2 i686 AMD Duron(tm) processor
Gentoo Base System version 1.5.1
distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
Autoconf: sys-devel/autoconf-2.59-r4
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.15.90.0.1.1-r3
Headers:  sys-kernel/linux26-headers-2.6.7-r3
Libtools: sys-devel/libtool-1.5.2-r5
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-march=athlon -pipe -O"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3.1/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref
/usr/share/config /usr/share/texmf/dvipdfm/config/
/usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/
/usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon -pipe -O"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs candy ccache distcc distlocks sandbox sfperms userpriv
usersandbox"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/
http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/bmg-main"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3dnow X Xaw3d acpi aim alsa apache2 apm arts avi berkdb bitmap-fonts bonobo
bzlib cddb crypt cscope ctype cups curl dba dnd encode esd f77 faad fam flac
foomaticdb freetype gb gd gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml guile
icq imagemagick imlib ipv6 jack java joystick jpeg junit kde libg++ libwww mad
mbox mikmod mime mmx mng motif mozdomi mozilla moznomail mozp3p mozsvg
mozxmlterm mpeg music mysql ncurses net nls nptl offensive oggvorbis opengl
oscar oss pam pdflib perl png propolice python qt quicktime readline ruby samba
scanner sdl slang speex spell sse ssl stroke svg svga tcltk tcpd tetex theora
tiff transcode truetype type1 unicode usb videos x86 xface xforms xine xinerama
xml xml2 xmms xosd xprint xrandr xsl xv xvid zlib"

-fstack-protector is temporarily off to get seemingly working version of sc.
Comment 1 Alfons Hoogervorst 2004-12-07 09:18:09 UTC 
I need a backtrace, and also your quote format string to get a hint where the stack was smashed.
Thanks!
-- alfons
Comment 2 Alfons Hoogervorst 2004-12-07 09:47:29 UTC 
Created attachment 45444 [details, diff]
Test location of stack overrun

Mmmh, I've got a hunch here.
Can you apply the attached patch, and see what happens next? (If it still
happens, try increasing the changed value - 1024 - to something bigger, say
2048 and on, in steps of *2).
(Note that you need to have flex and bison installed to get claws compile
again).

Thanks!
Comment 3 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-07 10:36:55 UTC 
1024 does cause same problem still, strace ends like this, if it's of any help:

stat64("/home/tpirinen/Mail/Gentoo/Doc+fi+cvs/22", {st_mode=S_IFREG|0600, st_size=6658, ...}) = 0
time(NULL)                              = 1102443722
stat64("/home/tpirinen/Mail/Gentoo/Doc+fi+cvs/22", {st_mode=S_IFREG|0600, st_size=6658, ...}) = 0
open("/home/tpirinen/Mail/Gentoo/Doc+fi+cvs/22", O_RDONLY) = 8
fstat64(8, {st_mode=S_IFREG|0600, st_size=6658, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6911000
_llseek(8, 0, [0], SEEK_SET)            = 0
read(8, "Return-path: <gentoo-doc-fi-retu"..., 4096) = 4096
close(8)                                = 0
munmap(0xb6911000, 4096)                = 0
open("/home/tpirinen/Mail/Gentoo/Doc+fi+cvs/22", O_RDONLY) = 8
fstat64(8, {st_mode=S_IFREG|0600, st_size=6658, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6911000
_llseek(8, 0, [0], SEEK_SET)            = 0
read(8, "Return-path: <gentoo-doc-fi-retu"..., 1997) = 1997
read(8, "--------------enig31E3BE45C9BB48"..., 4096) = 4096
read(8, "nalisation Lead\n\\  http://www.ge"..., 4096) = 565
close(8)                                = 0
munmap(0xb6911000, 4096)                = 0
open("/home/tpirinen/Mail/Gentoo/Doc+fi+cvs/22", O_RDONLY) = 8
fstat64(8, {st_mode=S_IFREG|0600, st_size=6658, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6911000
_llseek(8, 0, [0], SEEK_SET)            = 0
read(8, "Return-path: <gentoo-doc-fi-retu"..., 2128) = 2128
gettimeofday({1102443722, 741487}, NULL) = 0
open("/home/tpirinen/.sylpheed/mimetmp/sylpheed.dPkOBV", O_RDWR|O_CREAT|O_EXCL, 0600) = 10
fcntl64(10, F_GETFL)                    = 0x2 (flags O_RDWR)
fstat64(10, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6910000
_llseek(10, 0, [0], SEEK_CUR)           = 0
read(8, "Flammie Pirinen wrote:\n> Ahh, I\'"..., 4096) = 4096
write(10, "Flammie Pirinen wrote:\n> Ahh, I\'"..., 4017) = 4017
close(10)                               = 0
munmap(0xb6910000, 4096)                = 0
close(8)                                = 0
munmap(0xb6911000, 4096)                = 0
stat64("/home/tpirinen/.sylpheed/mimetmp/sylpheed.dPkOBV", {st_mode=S_IFREG|0600, st_size=4017, ...}) = 0
open("/home/tpirinen/.sylpheed/mimetmp/sylpheed.dPkOBV", O_RDONLY) = 8
fstat64(8, {st_mode=S_IFREG|0600, st_size=4017, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6911000
_llseek(8, 0, [0], SEEK_SET)            = 0
open("/home/tpirinen/.sylpheed/mimetmp/00000000.mimetmp", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 10
read(8, "Flammie Pirinen wrote:\n> Ahh, I\'"..., 4096) = 4017
fstat64(10, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6910000
close(8)                                = 0
munmap(0xb6911000, 4096)                = 0
write(10, "Flammie Pirinen wrote:\n> Ahh, I\'"..., 4017) = 4017
close(10)                               = 0
munmap(0xb6910000, 4096)                = 0
open("/home/tpirinen/.sylpheed/mimetmp/00000000.mimetmp", O_RDONLY) = 8
open("/home/tpirinen/.sylpheed/tmp/sylpheed-claws.WbLclR", O_RDWR|O_CREAT|O_EXCL, 0600) = 10
unlink("/home/tpirinen/.sylpheed/tmp/sylpheed-claws.WbLclR") = 0
fcntl64(10, F_GETFL)                    = 0x2 (flags O_RDWR)
fstat64(10, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6911000
_llseek(10, 0, [0], SEEK_CUR)           = 0
fstat64(8, {st_mode=S_IFREG|0644, st_size=4017, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6910000
read(8, "Flammie Pirinen wrote:\n> Ahh, I\'"..., 4096) = 4017
read(8, "", 4096)                       = 0
close(8)                                = 0
munmap(0xb6910000, 4096)                = 0
write(10, "Flammie Pirinen wrote:\n> Ahh, I\'"..., 4017) = 4017
_llseek(10, 0, [0], SEEK_SET)           = 0
unlink("/home/tpirinen/.sylpheed/mimetmp/00000000.mimetmp") = 0
unlink("/home/tpirinen/.sylpheed/mimetmp/sylpheed.dPkOBV") = 0
read(10, "Flammie Pirinen wrote:\n> Ahh, I\'"..., 4096) = 4017
read(10, "", 4096)                      = 0
close(10)                               = 0
munmap(0xb6911000, 4096)                = 0
rt_sigprocmask(SIG_BLOCK, ~[ABRT RTMIN], NULL, 8) = 0
write(2, "sylpheed-claws: stack smashing a"..., 64sylpheed-claws: stack smashing attack in function quote_fmtparse) = 64
write(2, "()\n", 3()
)                     = 3
socket(PF_UNIX, SOCK_DGRAM, 0)          = 8
sendto(8, "<2>sylpheed-claws: stack smashin"..., 67, 0, {sa_family=AF_UNIX, path="/dev/log"}, 110) = 67
rt_sigaction(SIGABRT, {SIG_DFL}, NULL, 8) = 0
kill(7286, SIGABRT)                     = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++

gdb's backtrace's unfortunately less than informative at the moment, odd, since I tried to get all debug info possible in...:

#0  0xffffe410 in ?? ()
#1  0xbffc96c8 in ?? ()
#2  0xb7919860 in ?? () from /lib/libc.so.6
#3  0x00000006 in ?? ()
#4  0xb782b936 in kill () from /lib/libc.so.6
#5  0xb7817663 in __stack_smash_handler () from /lib/libc.so.6
#6  0x081529ce in quote_fmtparse ()
#7  0x7542202e in ?? ()
#8  0x68742074 in ?? ()
#9  0x73277461 in ?? ()
#10 0x73756a20 in ?? ()
#11 0x68742074 in ?? ()
#12 0x49207461 in ?? ()
#13 0x6c206d27 in ?? ()
#14 0x20737365 in ?? ()
#15 0x75716361 in ?? ()
#16 0x746e6961 in ?? ()
#17 0x74206465 in ?? ()
#18 0x6f77206f in ?? ()
#19 0x6e696b72 in ?? ()
#20 0x69772067 in ?? ()
#21 0x62206874 in ?? ()
#22 0x697a6775 in ?? ()
#23 0x20616c6c in ?? ()
#24 0x6e616874 in ?? ()
#25 0x61204920 in ?? ()
#26 0x6977206d in ?? ()
#27 0x65206874 in ?? ()
#28 0x6c69616d in ?? ()
#29 0x73000a2e in ?? ()
#30 0x6d656863 in ?? ()
#31 0x36202c65 in ?? ()
#32 0x74732029 in ?? ()
#33 0x20747261 in ?? ()
#34 0x6e617274 in ?? ()
#35 0x74616c73 in ?? ()
#36 0x2f676e69 in ?? ()
#37 0x64616572 in ?? ()
#38 0x2e676e69 in ?? ()
#39 0x65685420 in ?? ()
#40 0x6f687320 in ?? ()
#41 0x72657472 in ?? ()
#42 0x65687420 in ?? ()
#43 0x72656d20 in ?? ()
#44 0x72656972 in ?? ()
#45 0x08000a2e in ?? ()
#46 0x082f2528 in ?? ()
#47 0x082f4988 in ?? ()


What do you mean by quote format string? This is reply format:
%D{%Y-%m-%d}, %N sanoi, jotta:

%Q

And characters to be treated as quotes are: >|}
Comment 4 Alfons Hoogervorst 2004-12-07 10:45:00 UTC 
Yes, that's what I meant by "quote format string" - thanks.
Can you point me (URL link) to the offending message, or gzip-attach the offending message to this report?
Comment 5 Alfons Hoogervorst 2004-12-07 10:46:41 UTC 
Also, I'd very much appreciate it if you could do a final test of increasing the buffer size to say, 10K (10 * 1024), or higher.
Again, thanks.
Comment 6 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-07 11:08:51 UTC 
example of offending message: http://article.gmane.org/gmane.linux.gentoo.documentation.finnish/18 , hopefully this is enough. If not, I can try to dump raw message as attachment or something.

Same problem appears with 4k patch I tried, and I can't quite figure why I won't get any debug data, there is no stripping options and I even't tried to add -g switch to compiler.
Comment 7 Alfons Hoogervorst 2004-12-07 11:42:28 UTC 
10K? (Obviously some of the lines in the message are rather large.)
Also, yes, please attach the original message to this bug report.
Comment 8 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-07 19:56:47 UTC 
Created attachment 45487 [details]
one problematic message

This is one of those messages that unconditionally breaks. Just tested and the
b0rkage does happen even with 10k patch set.
Comment 9 Alfons Hoogervorst 2004-12-08 05:02:31 UTC 
Created attachment 45521 [details, diff]
New patch

Can you try the attached patch?

I could not reproduce the problem with your message, probably because of my
compiler (gcc 3.3.1). 
Try to attach gdb to a running sylpheed-claws, and also, make sure you started
sylpheed-claws with environment variable SYLPHEED_NO_CRASH=1 set:

% SYLPHEED_NO_CRASH=1 [path/to/]sylpheed

Thanks again.
Comment 10 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-09 04:05:31 UTC 
It still seems to crash, and no matter which pid I try to get with gdb, it still produces the same useless backtrace... Unfortunately I haven't got time to study the problem further at the moment.
Comment 11 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-10 08:56:09 UTC 
#0  0xffffe410 in ?? ()
#1  0xbffef158 in ?? ()
#2  0xb7919860 in ?? () from /lib/libc.so.6
#3  0x00000006 in ?? ()
#4  0xb782b936 in kill () from /lib/libc.so.6
#5  0xb7817663 in __stack_smash_handler () from /lib/libc.so.6
#6  0x081529de in quote_fmtparse () at quote_fmt_parse.c:2077
#7  0x7542202e in ?? ()
#8  0x68742074 in ?? ()
...
#46 0x082f2528 in ?? ()
#47 0x082f4988 in ?? ()

It seems I had had stripping turned on from portage as well. Hopefully this info will help.
Comment 12 Alfons Hoogervorst 2004-12-10 09:02:49 UTC 
Thanks!!!
Now can you get ten / twelve lines around quote_fmt_parse.c line 2077 (see your excellent trace). The problem is that quote_fmt_parse.c is generated from quote_fmt_parse.y.
(or if it's not that big, zip quote_fmt_parse.c and attach it to the bug report.)
Thanks again.
Comment 13 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-10 10:12:12 UTC 
Oddly enough, the line 2077 contains only final closing brace here...:
#ifndef yyoverflow
/*----------------------------------------------.
| yyoverflowlab -- parser overflow comes here.  |
`----------------------------------------------*/
yyoverflowlab:
  yyerror ("parser stack overflow");
  yyresult = 2;
  /* Fall through.  */
#endif

yyreturn:
#ifndef yyoverflow
  if (yyss != yyssa)
    YYSTACK_FREE (yyss);
#endif
  return yyresult;
}

or is there yet something else meddling with line numbers? I'll attach the zip for reference anyways.
Comment 14 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-10 10:14:28 UTC 
Created attachment 45689 [details]
quote_fmt_parse.zip

Contains whole generated quote_fmt_parse.c as picked from portage's working
directory.
Comment 15 Alfons Hoogervorst 2004-12-10 13:16:13 UTC 
Created attachment 45697 [details, diff]
Re-organise quote_fmt_parse.y so to work with -fstack-protector

To help you out a bit compiled and installed gcc 3.4.2 with the stack protector
patch; I found the same error.
It seems that the stack-protector code doesn't like bulky functions with lots
of local blocks with each allocating auto vars (stack vars). Breaking down the
parser functions in smaller functional units, always a good idea, seems to fix
the "error". Please check if this patch works for you.
Colin, can you double-check the patch too?

Thanks.
Comment 16 Flammie Pirinen (RETIRED) gentoo-dev 2004-12-11 02:03:58 UTC 
The patch keeps rejecting at first name, last name and middle initial. It seems to have been changed in rev 1.25 in your cvs. I'm manually pulling 1.22.5 indicated in patch header and using that one.

Works for me now. Thanks.
Comment 17 Alfons Hoogervorst 2004-12-11 02:14:55 UTC 
Thanks!

Colin: Send it to Hoa? Or just commit to HEAD and gtk2 after checking it a bit.
Comment 18 Colin Leroy 2004-12-11 04:01:20 UTC 
It looks ok to me, but I'd rather have Hoa check it: I didn't touch this code very much...
Comment 20 Marius Mauch (RETIRED) gentoo-dev 2005-01-05 04:57:52 UTC 
closing then