libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing on VIA chipsets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| libgcrypt11 (Ubuntu) |
Medium
|
Unassigned | ||
| Karmic |
Medium
|
Unassigned |
Bug Description
It seems that anything that uses libgcrypt, like cupsd, svn, etc. is terminated at launch because stack smashing is detected in libgcrypt11. This occurs with the karmic version 1.4.4-2ubuntu1 but not with the jaunty version 1.4.1. However, forcing 1.4.1 breaks all kind of dependencies so this is not a viable option for a karmic user.
Here is a sample of the output when trying to use svn:
justin@
*** stack smashing detected ***: svn terminated
======= Backtrace: =========
/lib/tls/
/lib/tls/
/lib/libgcrypt.
/lib/libgcrypt.
[0x0]
======= Memory map: ========
00110000-00131000 r-xp 00000000 08:01 1548521 /usr/lib/
00131000-00132000 r--p 00020000 08:01 1548521 /usr/lib/
00132000-00133000 rw-p 00021000 08:01 1548521 /usr/lib/
00133000-00145000 r-xp 00000000 08:01 2959951 /lib/tls/
00145000-00146000 r--p 00011000 08:01 2959951 /lib/tls/
00146000-00147000 rw-p 00012000 08:01 2959951 /lib/tls/
00147000-00149000 rw-p 00000000 00:00 0
00149000-00159000 r-xp 00000000 08:01 1548843 /usr/lib/
00159000-0015a000 r--p 0000f000 08:01 1548843 /usr/lib/
0015a000-0015b000 rw-p 00010000 08:01 1548843 /usr/lib/
0015b000-0015d000 r-xp 00000000 08:01 2941184 /lib/libcom_
0015d000-0015e000 r--p 00001000 08:01 2941184 /lib/libcom_
0015e000-0015f000 rw-p 00002000 08:01 2941184 /lib/libcom_
0015f000-00166000 r-xp 00000000 08:01 1550767 /usr/lib/
00166000-00167000 r--p 00006000 08:01 1550767 /usr/lib/
00167000-00168000 rw-p 00007000 08:01 1550767 /usr/lib/
00168000-0016a000 r-xp 00000000 08:01 2941272 /lib/libkeyutil
0016a000-0016b000 r--p 00001000 08:01 2941272 /lib/libkeyutil
0016b000-0016c000 rw-p 00002000 08:01 2941272 /lib/libkeyutil
0016f000-001bb000 r-xp 00000000 08:01 1554698 /usr/lib/
001bb000-001bc000 r--p 0004c000 08:01 1554698 /usr/lib/
001bc000-001bd000 rw-p 0004d000 08:01 1554698 /usr/lib/
001bd000-00319000 r-xp 00000000 08:01 2959936 /lib/tls/
00319000-0031a000 ---p 0015c000 08:01 2959936 /lib/tls/
0031a000-0031c000 r--p 0015c000 08:01 2959936 /lib/tls/
0031c000-0031d000 rw-p 0015e000 08:01 2959936 /lib/tls/
0031d000-00320000 rw-p 00000000 00:00 0
00321000-00328000 r-xp 00000000 08:01 2959952 /lib/tls/
00328000-00329000 r--p 00006000 08:01 2959952 /lib/tls/
00329000-0032a000 rw-p 00007000 08:01 2959952 /lib/tls/
0032a000-00350000 r-xp 00000000 08:01 1554571 /usr/lib/
00350000-00351000 r--p 00025000 08:01 1554571 /usr/lib/
00351000-00352000 rw-p 00026000 08:01 1554571 /usr/lib/
00352000-0037f000 r-xp 00000000 08:01 1554570 /usr/lib/
0037f000-00380000 r--p 0002c000 08:01 1554570 /usr/lib/
00380000-00381000 rw-p 0002d000 08:01 1554570 /usr/lib/
00381000-00383000 r-xp 00000000 08:01 1554702 /usr/lib/
00383000-00384000 r--p 00001000 08:01 1554702 /usr/lib/
00384000-00385000 rw-p 00002000 08:01 1554702 /usr/lib/
00399000-003dc000 r-xp 00000000 08:01 1554699 /usr/lib/
003dc000-003dd000 r--p 00042000 08:01 1554699 /usr/lib/
003dd000-003de000 rw-p 00043000 08:01 1554699 /usr/lib/
003de000-00401000 r-xp 00000000 08:01 1553634 /usr/lib/
00401000-00402000 r--p 00022000 08:01 1553634 /usr/lib/
00402000-00403000 rw-p 00023000 08:01 1553634 /usr/lib/
00413000-00433000 r-xp 00000000 08:01 1554285 /usr/lib/
00433000-00434000 ---p 00020000 08:01 1554285 /usr/lib/
00434000-00435000 r--p 00020000 08:01 1554285 /usr/lib/
00435000-00436000 rw-p 00021000 08:01 1554285 /usr/lib/
00436000-00461000 r-xp 00000000 08:01 1549319 /usr/lib/
00461000-00462000 r--p 0002a000 08:01 1549319 /usr/lib/
00462000-00463000 rw-p 0002b000 08:01 1549319 /usr/lib/
00479000-004a1000 r-xp 00000000 08:01 1554700 /usr/lib/
004a1000-004a2000 r--p 00027000 08:01 1554700 /usr/lib/
004a2000-004a3000 rw-p 00028000 08:01 1554700 /usr/lib/
004a3000-0052a000 r-xp 00000000 08:01 1549314 /usr/lib/
0052a000-0052b000 r--p 00087000 08:01 1549314 /usr/lib/
0052b000-0052c000 rw-p 00088000 08:01 1549314 /usr/lib/
0052c000-00555000 r-xp 00000000 08:01 1553047 /usr/lib/
00555000-00556000 r--p 00028000 08:01 1553047 /usr/lib/
00556000-00557000 rw-p 00029000 08:01 1553047 /usr/lib/
0055c000-0055f000 r-xp 00000000 08:01 2941268 /lib/libuuid.so.1.2
0055f000-00560000 r--p 00003000 08:01 2941268 /lib/libuuid.so.1.2
00560000-00561000 rw-p 00004000 08:01 2941268 /lib/libuuid.so.1.2
00561000-005a1000 r-xp 00000000 08:01 2941274 /lib/libdbus-
005a1000-005a2000 r--p 0003f000 08:01 2941274 /lib/libdbus-
005a2000-005a3000 rw-p 00040000 08:01 2941274 /lib/libdbus-
005cd000-005d4000 r-xp 00000000 08:01 1554283 /usr/lib/
005d4000-005d5000 r--p 00006000 08:01 1554283 /usr/lib/
005d5000-005d6000 rw-p 00007000 08:01 1554283 /usr/lib/
005d6000-00606000 r-xp 00000000 08:01 2941057 /lib/libpcre.
00606000-00607000 r--p 0002f000 08:01 2941057 /lib/libpcre.
00607000-00608000 rw-p 00030000 08:01 2941057 /lib/libpcre.
00608000-00632000 r-xp 00000000 08:01 2942639 /lib/libgcc_s.so.1
00632000-00633000 r--p 00029000 08:01 2942639 /lib/libgcc_s.so.1
00633000-00634000 rw-p 0002a000 08:01 2942639 /lib/libgcc_s.so.1
00640000-00680000 r-xp 00000000 08:01 1552312 /usr/lib/
00680000-00681000 ---p 00040000 08:01 1552312 /usr/lib/
00681000-00682000 r--p 00040000 08:01 1552312 /usr/lib/
00682000-00683000 rw-p 00041000 08:01 1552312 /usr/lib/
00683000-00684000 rw-p 00000000 00:00 0
00684000-00728000 r-xp 00000000 08:01 1550086 /usr/lib/
00728000-0072d000 r--p 000a4000 08:01 1550086 /usr/lib/
0072d000-0072e000 rw-p 000a9000 08:01 1550086 /usr/lib/
0073b000-00745000 r-xp 00000000 08:01 1554697 /usr/lib/
00745000-00746000 r--p 00009000 08:01 1554697 /usr/lib/
00746000-00747000 rw-p 0000a000 08:01 1554697 /usr/lib/
007a2000-007ab000 r-xp 00000000 08:01 2959938 /lib/tls/
007ab000-007ac000 r--p 00008000 08:01 2959938 /lib/tls/
007ac000-007ad000 rw-p 00009000 08:01 2959938 /lib/tls/
007ad000-007d4000 rw-p 00000000 00:00 0
007d4000-0084d000 r-xp 00000000 08:01 2941807 /lib/libgcrypt.
0084d000-0084e000 r--p 00078000 08:01 2941807 /lib/libgcrypt.
0084e000-00850000 rw-p 00079000 Aborted
justin@
Justin Chudgar (justinzane) wrote : | #2 |
I do not have any special configurations that I am aware of. Is there anything you would like me to attach?
BTW, this seems to have been the cause of the following bug. There might be info there that make sense to you.
https:/
The only thing special that I can think of is that I have a VIA C7 cpu with the Padlock hardware RNG. I don't know if that makes a difference.
Kees Cook (kees) wrote : Re: [Bug 389053] Re: libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing | #3 |
On Thu, Jun 18, 2009 at 08:38:12PM -0000, justinchudgar wrote:
> I do not have any special configurations that I am aware of. Is there
> anything you would like me to attach?
Can you do the following:
cd /tmp
ulimit -c unlimited
svn co ....(the command that crashes)
bzip2 -9 core
and then attach that core file?
> https:/
Yeah, this bug came to my attention via that bug. :)
> The only thing special that I can think of is that I have a VIA C7 cpu
> with the Padlock hardware RNG. I don't know if that makes a difference.
Hm, it's possible, but seems weird that libgcrypt11 would be touching that
device.
Thanks!
As requested... the core dump.
Kees Cook (kees) wrote : Re: [Bug 389053] Re: libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing | #5 |
On Thu, Jun 18, 2009 at 10:10:51PM -0000, justinchudgar wrote:
> As requested... the core dump.
Thanks! And, heh, I think we have a culprit:
#6 0x0033b4a4 in __stack_
#7 0x00332d14 in poll_padlock (add=<value optimized out>, origin=<value optimized out>, fast=0) at rndhw.c:95
--
Kees Cook
Ubuntu Security Team
Changed in libgcrypt11 (Ubuntu): | |
status: | Incomplete → Confirmed |
Y'know... I'm really starting to hate VIA right now. The openchrome driver somehow stomps on the bcmwl driver, so I try to build the subversion version of openchrome... to find out that the padlock driver stomps on libgcrypt11. Oh, well.
Thanks for finding that so quickly.
Justin Chudgar (justinzane) wrote : | #7 |
As one would expect, removing viarng from /etc/modules means that libgcrypt11 and its dependencies like svn and cupsd work. Since this is a regression, it would be nice to find a fix, but the work-around is not that painful. It will catch anyone with VIA hardware by surprise during the karmic upgrade, though.
tags: | added: regression-potential |
Changed in libgcrypt11 (Ubuntu): | |
importance: | Undecided → Medium |
status: | Confirmed → Triaged |
tags: | added: metabug |
tags: | removed: metabug |
I have a Sylvania Gnetbook with a VIA C7-M CPU and can confirm it's the via-rng module, however once loaded, further unloading the module does not make the problem go away.
As per the changelog, libgcrypt added something dealing with RNGs between versions 1.4.1 and 1.4.2rc1:
2008-07-05 Werner Koch <email address hidden>
* random/: New.
* Makefile.am (DIST_SUBDIRS): Add random.
* configure.ac (AC_CONFIG_FILES): Add random/Makefile.
the file random/rndhw.c contains Padlock specific code and the failing function - poll_padlock()
Documented for Redhat, fix submitted for Fedora 11, maybe a solution can be found examining their patch.
https:/
Fixes fatal crash on VIA processors with Padlock RNG.
https:/
patch extracted from redhat/fedora source rpm: libgcrypt-
* Thu Jun 18 2009 Tomas Mraz <email address hidden> 1.4.4-6
- and now really apply the padlock patch
* Wed Jun 17 2009 Tomas Mraz <email address hidden> 1.4.4-5
- fix VIA padlock RNG inline assembly call (#505724)
Applies cleanly to ubuntu source package libgcrypt11-
summary: |
- libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing + libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing on VIA chipsets |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package libgcrypt11 - 1.4.4-2ubuntu2
---------------
libgcrypt11 (1.4.4-2ubuntu2) karmic; urgency=low
* Fix stack smashing on VIA processors with Padlock RNG (patch by Tomas
Mraz of Red Hat; thanks to Roberto Rosario for the archaeology; LP:
#389053).
-- Colin Watson <email address hidden> Thu, 02 Jul 2009 11:34:18 +0100
Changed in libgcrypt11 (Ubuntu Karmic): | |
status: | Triaged → Fix Released |
I cannot reproduce this. Do you have any special subversion (or gcrypt) configurations? On a karmic chroot, this checkout works for me without crashing.