Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 375157 - net-ftp/tftp-hpa-5.1: client buffer overflow in makerequest strcpy
Summary: net-ftp/tftp-hpa-5.1: client buffer overflow in makerequest strcpy
Status: RESOLVED DUPLICATE of bug 357083
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-14 09:25 UTC by Thomas Axelsson
Modified: 2011-10-13 16:22 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Buffer overflow patch from Ubuntu (use-memcpy-for-header.patch~,610 bytes, patch)
2011-07-14 09:26 UTC, Thomas Axelsson
Details | Diff
Patch for the ebuild to use the memcpy patch (tftp-hpa-5.1.ebuild.patch,778 bytes, patch)
2011-07-14 09:28 UTC, Thomas Axelsson
Details | Diff
patch (use-memcpy-for-header.patch,630 bytes, patch)
2011-07-31 23:06 UTC, fkhp
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Axelsson 2011-07-14 09:25:24 UTC
The tftp client is aborted due to a buffer overflow when trying to "put" files.

Ubuntu have a patch mentioned at https://launchpad.net/ubuntu/+source/tftp-hpa/+changelog
Did not manage to get the original patch, but reversed it from the package changelog diff at http://launchpadlibrarian.net/65402494/tftp-hpa_5.0-21ubuntu1_5.0-21ubuntu2.diff.gz

Reproducible: Always

Steps to Reproduce:
1. echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput a\n" | tftp 192.168.1.1

Actual Results:  
tftp 192.168.1.1
tftp> binary
tftp> rexmt 1
tftp> timeout 60
tftp> trace
Packet tracing on.
tftp> put a
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f64c6290ed7]
/lib64/libc.so.6(+0xead30)[0x7f64c628ed30]
tftp[0x401ba1]
tftp[0x402087]
tftp[0x403c47]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f64c61c2ebd]
tftp[0x401a89]
======= Memory map: ========
00400000-00407000 r-xp 00000000 09:07 4629698                            /usr/bin/tftp
00606000-00607000 r--p 00006000 09:07 4629698                            /usr/bin/tftp
00607000-00608000 rw-p 00007000 09:07 4629698                            /usr/bin/tftp
00608000-0066a000 rw-p 00000000 00:00 0                                  [heap]
7f64c561a000-7f64c562f000 r-xp 00000000 09:07 11084033                   /lib64/libgcc_s.so.1
7f64c562f000-7f64c582e000 ---p 00015000 09:07 11084033                   /lib64/libgcc_s.so.1
7f64c582e000-7f64c582f000 r--p 00014000 09:07 11084033                   /lib64/libgcc_s.so.1
7f64c582f000-7f64c5830000 rw-p 00015000 09:07 11084033                   /lib64/libgcc_s.so.1
7f64c5830000-7f64c5b3e000 r--p 00000000 09:07 1591454                    /usr/lib64/locale/locale-archive
7f64c5b3e000-7f64c5b4a000 r-xp 00000000 09:07 2802717                    /lib64/libnss_files-2.13.so
7f64c5b4a000-7f64c5d49000 ---p 0000c000 09:07 2802717                    /lib64/libnss_files-2.13.so
7f64c5d49000-7f64c5d4a000 r--p 0000b000 09:07 2802717                    /lib64/libnss_files-2.13.so
7f64c5d4a000-7f64c5d4b000 rw-p 0000c000 09:07 2802717                    /lib64/libnss_files-2.13.so
7f64c5d4b000-7f64c5d4d000 r-xp 00000000 09:07 2802710                    /lib64/libdl-2.13.so
7f64c5d4d000-7f64c5f4d000 ---p 00002000 09:07 2802710                    /lib64/libdl-2.13.so
7f64c5f4d000-7f64c5f4e000 r--p 00002000 09:07 2802710                    /lib64/libdl-2.13.so
7f64c5f4e000-7f64c5f4f000 rw-p 00003000 09:07 2802710                    /lib64/libdl-2.13.so
7f64c5f4f000-7f64c5f9e000 r-xp 00000000 09:07 6146354                    /lib64/libncurses.so.5.9
7f64c5f9e000-7f64c619e000 ---p 0004f000 09:07 6146354                    /lib64/libncurses.so.5.9
7f64c619e000-7f64c61a2000 r--p 0004f000 09:07 6146354                    /lib64/libncurses.so.5.9
7f64c61a2000-7f64c61a3000 rw-p 00053000 09:07 6146354                    /lib64/libncurses.so.5.9
7f64c61a3000-7f64c61a4000 rw-p 00000000 00:00 0
7f64c61a4000-7f64c6326000 r-xp 00000000 09:07 2802730                    /lib64/libc-2.13.so
7f64c6326000-7f64c6525000 ---p 00182000 09:07 2802730                    /lib64/libc-2.13.so
7f64c6525000-7f64c6529000 r--p 00181000 09:07 2802730                    /lib64/libc-2.13.so
7f64c6529000-7f64c652a000 rw-p 00185000 09:07 2802730                    /lib64/libc-2.13.so
7f64c652a000-7f64c652f000 rw-p 00000000 00:00 0
7f64c652f000-7f64c656d000 r-xp 00000000 09:07 6163791                    /lib64/libreadline.so.6.2
7f64c656d000-7f64c676c000 ---p 0003e000 09:07 6163791                    /lib64/libreadline.so.6.2
7f64c676c000-7f64c676e000 r--p 0003d000 09:07 6163791                    /lib64/libreadline.so.6.2
7f64c676e000-7f64c6774000 rw-p 0003f000 09:07 6163791                    /lib64/libreadline.so.6.2
7f64c6774000-7f64c6776000 rw-p 00000000 00:00 0
7f64c6776000-7f64c6795000 r-xp 00000000 09:07 2802729                    /lib64/ld-2.13.so
7f64c6953000-7f64c6957000 rw-p 00000000 00:00 0
7f64c698b000-7f64c698d000 rw-p 00000000 00:00 0
7f64c698d000-7f64c6994000 r--s 00000000 09:07 2393513                    /usr/lib64/gconv/gconv-modules.cache
7f64c6994000-7f64c6995000 rw-p 00000000 00:00 0
7f64c6995000-7f64c6996000 r--p 0001f000 09:07 2802729                    /lib64/ld-2.13.so
7f64c6996000-7f64c6997000 rw-p 00020000 09:07 2802729                    /lib64/ld-2.13.so
7f64c6997000-7f64c6998000 rw-p 00000000 00:00 0
7fff57031000-7fff57053000 rw-p 00000000 00:00 0                          [stack]
7fff5709e000-7fff5709f000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Expected Results:  
tftp> binary
tftp> rexmt 1
tftp> timeout 60
tftp> trace
Packet tracing on.
tftp> put a
sent WRQ <file=a, mode=octet>
sent WRQ <file=a, mode=octet>
sent WRQ <file=a, mode=octet>
sent WRQ <file=a, mode=octet>
....

sys-libs/glibc-2.13-r4
Comment 1 Thomas Axelsson 2011-07-14 09:26:53 UTC
Created attachment 280041 [details, diff]
Buffer overflow patch from Ubuntu
Comment 2 Thomas Axelsson 2011-07-14 09:28:37 UTC
Created attachment 280043 [details, diff]
Patch for the ebuild to use the memcpy patch
Comment 3 fkhp 2011-07-31 04:30:18 UTC
tftp failed


# echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nget wdsnbp.com\n" | tftp 192.168.0.92
tftp> binary
tftp> rexmt 1
tftp> timeout 60
tftp> trace
Packet tracing on.
tftp> get wdsnbp.com
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f8ca500cd47]
/lib64/libc.so.6(+0xf7bc0)[0x7f8ca500abc0]
tftp[0x4020d1]
tftp[0x402b1d]
tftp[0x401c7a]
/lib64/libc.so.6(__libc_start_main+0xed)[0x7f8ca4f342fd]
tftp[0x401fd9]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:03 39012                              /usr/bin/tftp
00606000-00607000 r--p 00006000 08:03 39012                              /usr/bin/tftp
00607000-00608000 rw-p 00007000 08:03 39012                              /usr/bin/tftp
00608000-0066a000 rw-p 00000000 00:00 0                                  [heap]
7f8ca4043000-7f8ca4058000 r-xp 00000000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4058000-7f8ca4257000 ---p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4257000-7f8ca4258000 r--p 00014000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4258000-7f8ca4259000 rw-p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7f8ca4259000-7f8ca48ae000 r--p 00000000 08:03 107790                     /usr/lib64/locale/locale-archive
7f8ca48ae000-7f8ca48ba000 r-xp 00000000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca48ba000-7f8ca4ab9000 ---p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca4ab9000-7f8ca4aba000 r--p 0000b000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca4aba000-7f8ca4abb000 rw-p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7f8ca4abb000-7f8ca4abd000 r-xp 00000000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4abd000-7f8ca4cbd000 ---p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4cbd000-7f8ca4cbe000 r--p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4cbe000-7f8ca4cbf000 rw-p 00003000 08:03 667043                     /lib64/libdl-2.13.so
7f8ca4cbf000-7f8ca4d0e000 r-xp 00000000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4d0e000-7f8ca4f0d000 ---p 0004f000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4f0d000-7f8ca4f11000 r--p 0004e000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4f11000-7f8ca4f12000 rw-p 00052000 08:03 665550                     /lib64/libncurses.so.5.9
7f8ca4f12000-7f8ca4f13000 rw-p 00000000 00:00 0 
7f8ca4f13000-7f8ca50a8000 r-xp 00000000 08:03 667052                     /lib64/libc-2.13.so
7f8ca50a8000-7f8ca52a7000 ---p 00195000 08:03 667052                     /lib64/libc-2.13.so
7f8ca52a7000-7f8ca52ab000 r--p 00194000 08:03 667052                     /lib64/libc-2.13.so
7f8ca52ab000-7f8ca52ac000 rw-p 00198000 08:03 667052                     /lib64/libc-2.13.so
7f8ca52ac000-7f8ca52b2000 rw-p 00000000 00:00 0 
7f8ca52b2000-7f8ca52ef000 r-xp 00000000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca52ef000-7f8ca54ef000 ---p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca54ef000-7f8ca54f1000 r--p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca54f1000-7f8ca54f7000 rw-p 0003f000 08:03 665443                     /lib64/libreadline.so.6.2
7f8ca54f7000-7f8ca54f9000 rw-p 00000000 00:00 0 
7f8ca54f9000-7f8ca5519000 r-xp 00000000 08:03 667051                     /lib64/ld-2.13.so
7f8ca56d9000-7f8ca56dd000 rw-p 00000000 00:00 0 
7f8ca570f000-7f8ca5710000 rw-p 00000000 00:00 0 
7f8ca5710000-7f8ca5717000 r--s 00000000 08:03 115386                     /usr/lib64/gconv/gconv-modules.cache
7f8ca5717000-7f8ca5719000 rw-p 00000000 00:00 0 
7f8ca5719000-7f8ca571a000 r--p 00020000 08:03 667051                     /lib64/ld-2.13.so
7f8ca571a000-7f8ca571b000 rw-p 00021000 08:03 667051                     /lib64/ld-2.13.so
7f8ca571b000-7f8ca571c000 rw-p 00000000 00:00 0 
7fff9e3ee000-7fff9e410000 rw-p 00000000 00:00 0                          [stack]
7fff9e4bc000-7fff9e4bd000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
已放弃
gentoo shm # ls
p  portage  pulse-shm-1883080623  pulse-shm-3653517906  pulse-shm-979569134  tftp>  wdsnbp.com
gentoo shm # echo -e "binary\nrexmt 1\ntimeout 60\ntrace\nput p\n" | tftp 192.168.0.92
tftp> binary
tftp> rexmt 1
tftp> timeout 60
tftp> trace
Packet tracing on.
tftp> put p
*** buffer overflow detected ***: tftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7fd4e930dd47]
/lib64/libc.so.6(+0xf7bc0)[0x7fd4e930bbc0]
tftp[0x4020d1]
tftp[0x4025ae]
tftp[0x401c7a]
/lib64/libc.so.6(__libc_start_main+0xed)[0x7fd4e92352fd]
tftp[0x401fd9]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:03 39012                              /usr/bin/tftp
00606000-00607000 r--p 00006000 08:03 39012                              /usr/bin/tftp
00607000-00608000 rw-p 00007000 08:03 39012                              /usr/bin/tftp
00608000-0066a000 rw-p 00000000 00:00 0                                  [heap]
7fd4e8344000-7fd4e8359000 r-xp 00000000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e8359000-7fd4e8558000 ---p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e8558000-7fd4e8559000 r--p 00014000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e8559000-7fd4e855a000 rw-p 00015000 08:03 2117863                    /usr/lib64/gcc/x86_64-pc-linux-gnu/4.6.1/libgcc_s.so.1
7fd4e855a000-7fd4e8baf000 r--p 00000000 08:03 107790                     /usr/lib64/locale/locale-archive
7fd4e8baf000-7fd4e8bbb000 r-xp 00000000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8bbb000-7fd4e8dba000 ---p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8dba000-7fd4e8dbb000 r--p 0000b000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8dbb000-7fd4e8dbc000 rw-p 0000c000 08:03 665772                     /lib64/libnss_files-2.13.so
7fd4e8dbc000-7fd4e8dbe000 r-xp 00000000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8dbe000-7fd4e8fbe000 ---p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8fbe000-7fd4e8fbf000 r--p 00002000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8fbf000-7fd4e8fc0000 rw-p 00003000 08:03 667043                     /lib64/libdl-2.13.so
7fd4e8fc0000-7fd4e900f000 r-xp 00000000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e900f000-7fd4e920e000 ---p 0004f000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e920e000-7fd4e9212000 r--p 0004e000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e9212000-7fd4e9213000 rw-p 00052000 08:03 665550                     /lib64/libncurses.so.5.9
7fd4e9213000-7fd4e9214000 rw-p 00000000 00:00 0 
7fd4e9214000-7fd4e93a9000 r-xp 00000000 08:03 667052                     /lib64/libc-2.13.so
7fd4e93a9000-7fd4e95a8000 ---p 00195000 08:03 667052                     /lib64/libc-2.13.so
7fd4e95a8000-7fd4e95ac000 r--p 00194000 08:03 667052                     /lib64/libc-2.13.so
7fd4e95ac000-7fd4e95ad000 rw-p 00198000 08:03 667052                     /lib64/libc-2.13.so
7fd4e95ad000-7fd4e95b3000 rw-p 00000000 00:00 0 
7fd4e95b3000-7fd4e95f0000 r-xp 00000000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e95f0000-7fd4e97f0000 ---p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e97f0000-7fd4e97f2000 r--p 0003d000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e97f2000-7fd4e97f8000 rw-p 0003f000 08:03 665443                     /lib64/libreadline.so.6.2
7fd4e97f8000-7fd4e97fa000 rw-p 00000000 00:00 0 
7fd4e97fa000-7fd4e981a000 r-xp 00000000 08:03 667051                     /lib64/ld-2.13.so
7fd4e99da000-7fd4e99de000 rw-p 00000000 00:00 0 
7fd4e9a10000-7fd4e9a11000 rw-p 00000000 00:00 0 
7fd4e9a11000-7fd4e9a18000 r--s 00000000 08:03 115386                     /usr/lib64/gconv/gconv-modules.cache
7fd4e9a18000-7fd4e9a1a000 rw-p 00000000 00:00 0 
7fd4e9a1a000-7fd4e9a1b000 r--p 00020000 08:03 667051                     /lib64/ld-2.13.so
7fd4e9a1b000-7fd4e9a1c000 rw-p 00021000 08:03 667051                     /lib64/ld-2.13.so
7fd4e9a1c000-7fd4e9a1d000 rw-p 00000000 00:00 0 
7fff54eb4000-7fff54ed6000 rw-p 00000000 00:00 0                          [stack]
7fff54f3b000-7fff54f3c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
已放弃
Comment 4 fkhp 2011-07-31 23:06:34 UTC
Created attachment 281673 [details, diff]
patch

patch use-memcpy-for-header.patch
Comment 5 b4max 2011-09-15 20:44:14 UTC
problem confirmed here. The patch works fine, please get it into the tree until upstream fixes it.
Comment 6 SpanKY gentoo-dev 2011-09-18 03:22:06 UTC
Comment on attachment 280041 [details, diff]
Buffer overflow patch from Ubuntu

this patch doesnt apply to tftp-hpa-5.1 as it seems to already be included
Comment 7 SpanKY gentoo-dev 2011-09-18 03:22:39 UTC
Comment on attachment 280043 [details, diff]
Patch for the ebuild to use the memcpy patch

since the patch doesnt apply, i dont see how this ebuild would work
Comment 8 SpanKY gentoo-dev 2011-09-18 03:41:02 UTC
Comment on attachment 281673 [details, diff]
patch

this patch doesnt make any sense to me

old code:
    strcpy(cp, name);
    cp += strlen(name);

    *cp++ = '\0';

    strcpy(cp, mode);
    cp += strlen(mode);

    *cp++ = '\0';

new code:
    len = strlen(name);
    memcpy(cp, name, len);
    cp += len;

    *cp++ = '\0';

    len = strlen(mode);
    memcpy(cp, mode, len);
    cp += len;

    *cp++ = '\0';

seems to end up at the exact same place: cp has all the bytes of "name" copied to it, followed by a NUL char, followed by all the bytes of "mode", followed by a NUL char.

to put it a different way, these sets of statements are equivalent:

    strcpy(cp, name);       cp += strlen(name);        *cp++ = '\0';

    len = strlen(name);     memcpy(cp, name, len);     cp += len;     *cp++ = '\0';
Comment 9 Matt Whitlock 2011-10-05 07:08:05 UTC
(In reply to comment #8)
> Comment on attachment 281673 [details, diff]
> patch
> 
> this patch doesnt make any sense to me

I agree with your analysis that the patch apparently does not change the meaning of the code, yet it definitely eliminates the runtime failure.

I suspect the use of strcpy triggers the compiler to insert the stack smash detector logic, whereas the use of memcpy does not. In other words, this patch doesn't actually fix the underlying problem but merely disables the code that detects it.

Even so, since this is the difference between being able to use tftp-hpa and not, and since Ubuntu/Debian have included this patch, I request that the patch be added to the ebuild in Portage.
Comment 10 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-10-05 10:27:01 UTC
Looks like an off-by-one bug: when using strcpy() the final '\0' is added by strcpy(), and since it's off by one byte, it'll report as a buffer overflow. On the other hand, when using memcpy(), it stops _before_ the final '\0' that is instead added with *cp++ (which does not trigger fortification).

Basically means that Ubuntu went for a convoluted workaround because they couldn't tell how to properly fix this...
Comment 11 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-10-05 10:33:00 UTC
Mike, this looks almost identical to the issue with Wine's variable-sized data structures, as th_stuff is declared as char[1] in the /usr/include/arpa/tftp.h header .. you might want to look at that?
Comment 12 SpanKY gentoo-dev 2011-10-05 15:32:09 UTC
thanks, i'll look in that direction.  this makes it sound like there isn't an actual security concern.
Comment 13 SpanKY gentoo-dev 2011-10-13 16:22:22 UTC

*** This bug has been marked as a duplicate of bug 357083 ***