stack smashing attack detected in bash host tab completion

Bug #1926379 reported by Seth Arnold
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
glibc (Ubuntu)
Undecided
Unassigned

Bug Description

Hello, this is a speculative bug report at best.

In some long-lived bash terminals, tab completion of hostnames on ping or ssh commands is printing the glibc stack smashing attempt error message:

$ ping goog*** stack smashing detected ***: terminated
^C
$ ssh local*** stack smashing detected ***: terminated
host ^C

I installed the glibc update 2.31-0ubuntu9.3 https://lists.ubuntu.com/archives/focal-changes/2021-April/024256.html earlier today. Shells started *after* this update work fine. Shells started before this update show this behaviour.

$ cat /proc/$$/maps
55f1986be000-55f1986eb000 r--p 00000000 00:1c 337406 /usr/bin/bash
55f1986eb000-55f19879c000 r-xp 0002d000 00:1c 337406 /usr/bin/bash
55f19879c000-55f1987d3000 r--p 000de000 00:1c 337406 /usr/bin/bash
55f1987d3000-55f1987d7000 r--p 00114000 00:1c 337406 /usr/bin/bash
55f1987d7000-55f1987e0000 rw-p 00118000 00:1c 337406 /usr/bin/bash
55f1987e0000-55f1987ea000 rw-p 00000000 00:00 0
55f19a673000-55f19b057000 rw-p 00000000 00:00 0 [heap]
7f29171e9000-7f29171ec000 r--p 00000000 00:1c 811498 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
7f29171ec000-7f29171f3000 r-xp 00003000 00:1c 811498 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
7f29171f3000-7f29171f5000 r--p 0000a000 00:1c 811498 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
7f29171f5000-7f29171f6000 r--p 0000b000 00:1c 811498 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
7f29171f6000-7f29171f7000 rw-p 0000c000 00:1c 811498 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
7f29171f7000-7f29171fd000 rw-p 00000000 00:00 0
7f2917210000-7f2917553000 r--p 00000000 00:1c 813840 /usr/lib/locale/locale-archive (deleted)
7f2917553000-7f2917556000 rw-p 00000000 00:00 0
7f2917556000-7f291757b000 r--p 00000000 00:1c 811482 /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
7f291757b000-7f29176f3000 r-xp 00025000 00:1c 811482 /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
7f29176f3000-7f291773d000 r--p 0019d000 00:1c 811482 /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
7f291773d000-7f291773e000 ---p 001e7000 00:1c 811482 /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
7f291773e000-7f2917741000 r--p 001e7000 00:1c 811482 /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
7f2917741000-7f2917744000 rw-p 001ea000 00:1c 811482 /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
7f2917744000-7f2917748000 rw-p 00000000 00:00 0
7f2917748000-7f2917749000 r--p 00000000 00:1c 811484 /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
7f2917749000-7f291774b000 r-xp 00001000 00:1c 811484 /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
7f291774b000-7f291774c000 r--p 00003000 00:1c 811484 /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
7f291774c000-7f291774d000 r--p 00003000 00:1c 811484 /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
7f291774d000-7f291774e000 rw-p 00004000 00:1c 811484 /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
7f291774e000-7f291775c000 r--p 00000000 00:1c 659440 /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
7f291775c000-7f291776b000 r-xp 0000e000 00:1c 659440 /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
7f291776b000-7f2917779000 r--p 0001d000 00:1c 659440 /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
7f2917779000-7f291777d000 r--p 0002a000 00:1c 659440 /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
7f291777d000-7f291777e000 rw-p 0002e000 00:1c 659440 /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
7f291777e000-7f2917780000 rw-p 00000000 00:00 0
7f291778c000-7f2917793000 r--s 00000000 00:1c 813296 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache (deleted)
7f2917793000-7f2917794000 r--p 00000000 00:1c 811474 /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
7f2917794000-7f29177b7000 r-xp 00001000 00:1c 811474 /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
7f29177b7000-7f29177bf000 r--p 00024000 00:1c 811474 /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
7f29177c0000-7f29177c1000 r--p 0002c000 00:1c 811474 /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
7f29177c1000-7f29177c2000 rw-p 0002d000 00:1c 811474 /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
7f29177c2000-7f29177c3000 rw-p 00000000 00:00 0
7ffd864bb000-7ffd864dc000 rw-p 00000000 00:00 0 [stack]
7ffd865b4000-7ffd865b7000 r--p 00000000 00:00 0 [vvar]
7ffd865b7000-7ffd865b8000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]
$

Thanks

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libc6 2.31-0ubuntu9.3
ProcVersionSignature: Ubuntu 5.4.0-71.79-generic 5.4.101
Uname: Linux 5.4.0-71-generic x86_64
NonfreeKernelModules: lkp_Ubuntu_5_4_0_71_79_generic_76 zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
Date: Tue Apr 27 23:30:08 2021
ProcEnviron:
 TERM=rxvt-unicode-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: glibc
UpgradeStatus: Upgraded to focal on 2020-01-24 (459 days ago)

Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Possibly a duplicate of bug LP: #1926355 https://bugs.launchpad.net/bugs/1926355

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I couldn't install the debug symbols:

 bash-dbgsym : Depends: bash (= 5.0-6ubuntu1) but 5.0-6ubuntu1.1 is to be installed

And I had to add a Package: bash line to my crash file..

Here's the frames that look most likely related:

#13 0x00007f29177a85fa in _dl_find_dso_for_object () from /lib64/ld-linux-x86-64.so.2
No symbol table info available.
#14 0x000055f19a675880 in ?? ()
No symbol table info available.
#15 0x00007ffd864d6140 in ?? ()
No symbol table info available.
#16 0x00007f2980000002 in ?? ()
No symbol table info available.
#17 0x00007f291769c62c in nss_load_library (ni=0x0) at nsswitch.c:359
        shlen = <error reading variable shlen (Cannot access memory at address 0xffffffb7)>
        saved_errno = 1
        shlib_name = <error reading variable shlib_name (Cannot access memory at address 0xffffffb7)>
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Revision history for this message
Balint Reczey (rbalint) wrote :

Thank you for the bug report.

The update has been reverted, please downgrade glibc binary packges to 2.31-0ubuntu9.2 until the new update becomes available.

The problem seems to be caused by the fix for LP: #1914044.

tags: added: regression-update
Balint Reczey (rbalint)
Changed in glibc (Ubuntu):
assignee: nobody → Balint Reczey (rbalint)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in glibc (Ubuntu):
status: New → Confirmed
Revision history for this message
Haw Loeung (hloeung) wrote :

We're also seeing this with rsyncd:

| Apr 28 09:35:04 behaim rsync[2152929]: *** stack smashing detected ***: terminated

From apt history logs:

| Upgrade: libldap-2.4-2:amd64 (2.4.49+dfsg-2ubuntu1.7, 2.4.49+dfsg-2ubuntu1.8), libc6-dev:amd64 (2.31-0ubuntu9.2, 2.31-0ubuntu9.3), grub-common:amd64 (2.04-1ubuntu26.9, 2.04-1ubuntu26.11), python3-pip:amd64 (20.0.2-5ubuntu1.1, 20.0.2-5ubuntu1.3), libc6:amd64 (2.31-0ubuntu9.2,
2.31-0ubuntu9.3)...

Balint Reczey (rbalint)
Changed in glibc (Ubuntu):
assignee: Balint Reczey (rbalint) → nobody
Revision history for this message
Balint Reczey (rbalint) wrote :

There is a WIP branch to prevent upgrades from 2.31-0ubuntu9.3 and cause crashes again on that path: https://code.launchpad.net/~rbalint/ubuntu/+source/glibc/+git/glibc/+ref/ubuntu/focal

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers