libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing on VIA chipsets

Bug #389053 reported by Justin Chudgar on 2009-06-18
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libgcrypt11 (Ubuntu)
Medium
Unassigned
Karmic
Medium
Unassigned

Bug Description

It seems that anything that uses libgcrypt, like cupsd, svn, etc. is terminated at launch because stack smashing is detected in libgcrypt11. This occurs with the karmic version 1.4.4-2ubuntu1 but not with the jaunty version 1.4.1. However, forcing 1.4.1 breaks all kind of dependencies so this is not a viable option for a karmic user.

Here is a sample of the output when trying to use svn:

justin@justin-mininote:~/src$ svn checkout http://svn.openchrome.org/svn/trunk openchrome
*** stack smashing detected ***: svn terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0x2bb038]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0x2baff0]
/lib/libgcrypt.so.11[0x82b4a4]
/lib/libgcrypt.so.11[0x822d14]
[0x0]
======= Memory map: ========
00110000-00131000 r-xp 00000000 08:01 1548521 /usr/lib/libaprutil-1.so.0.3.7
00131000-00132000 r--p 00020000 08:01 1548521 /usr/lib/libaprutil-1.so.0.3.7
00132000-00133000 rw-p 00021000 08:01 1548521 /usr/lib/libaprutil-1.so.0.3.7
00133000-00145000 r-xp 00000000 08:01 2959951 /lib/tls/i686/cmov/libresolv-2.9.so
00145000-00146000 r--p 00011000 08:01 2959951 /lib/tls/i686/cmov/libresolv-2.9.so
00146000-00147000 rw-p 00012000 08:01 2959951 /lib/tls/i686/cmov/libresolv-2.9.so
00147000-00149000 rw-p 00000000 00:00 0
00149000-00159000 r-xp 00000000 08:01 1548843 /usr/lib/libtasn1.so.3.1.5
00159000-0015a000 r--p 0000f000 08:01 1548843 /usr/lib/libtasn1.so.3.1.5
0015a000-0015b000 rw-p 00010000 08:01 1548843 /usr/lib/libtasn1.so.3.1.5
0015b000-0015d000 r-xp 00000000 08:01 2941184 /lib/libcom_err.so.2.1
0015d000-0015e000 r--p 00001000 08:01 2941184 /lib/libcom_err.so.2.1
0015e000-0015f000 rw-p 00002000 08:01 2941184 /lib/libcom_err.so.2.1
0015f000-00166000 r-xp 00000000 08:01 1550767 /usr/lib/libkrb5support.so.0.1
00166000-00167000 r--p 00006000 08:01 1550767 /usr/lib/libkrb5support.so.0.1
00167000-00168000 rw-p 00007000 08:01 1550767 /usr/lib/libkrb5support.so.0.1
00168000-0016a000 r-xp 00000000 08:01 2941272 /lib/libkeyutils-1.2.so
0016a000-0016b000 r--p 00001000 08:01 2941272 /lib/libkeyutils-1.2.so
0016b000-0016c000 rw-p 00002000 08:01 2941272 /lib/libkeyutils-1.2.so
0016f000-001bb000 r-xp 00000000 08:01 1554698 /usr/lib/libsvn_subr-1.so.1.0.0
001bb000-001bc000 r--p 0004c000 08:01 1554698 /usr/lib/libsvn_subr-1.so.1.0.0
001bc000-001bd000 rw-p 0004d000 08:01 1554698 /usr/lib/libsvn_subr-1.so.1.0.0
001bd000-00319000 r-xp 00000000 08:01 2959936 /lib/tls/i686/cmov/libc-2.9.so
00319000-0031a000 ---p 0015c000 08:01 2959936 /lib/tls/i686/cmov/libc-2.9.so
0031a000-0031c000 r--p 0015c000 08:01 2959936 /lib/tls/i686/cmov/libc-2.9.so
0031c000-0031d000 rw-p 0015e000 08:01 2959936 /lib/tls/i686/cmov/libc-2.9.so
0031d000-00320000 rw-p 00000000 00:00 0
00321000-00328000 r-xp 00000000 08:01 2959952 /lib/tls/i686/cmov/librt-2.9.so
00328000-00329000 r--p 00006000 08:01 2959952 /lib/tls/i686/cmov/librt-2.9.so
00329000-0032a000 rw-p 00007000 08:01 2959952 /lib/tls/i686/cmov/librt-2.9.so
0032a000-00350000 r-xp 00000000 08:01 1554571 /usr/lib/libsvn_fs_fs-1.so.1.0.0
00350000-00351000 r--p 00025000 08:01 1554571 /usr/lib/libsvn_fs_fs-1.so.1.0.0
00351000-00352000 rw-p 00026000 08:01 1554571 /usr/lib/libsvn_fs_fs-1.so.1.0.0
00352000-0037f000 r-xp 00000000 08:01 1554570 /usr/lib/libsvn_fs_base-1.so.1.0.0
0037f000-00380000 r--p 0002c000 08:01 1554570 /usr/lib/libsvn_fs_base-1.so.1.0.0
00380000-00381000 rw-p 0002d000 08:01 1554570 /usr/lib/libsvn_fs_base-1.so.1.0.0
00381000-00383000 r-xp 00000000 08:01 1554702 /usr/lib/libsvn_auth_gnome_keyring-1.so.1.0.0
00383000-00384000 r--p 00001000 08:01 1554702 /usr/lib/libsvn_auth_gnome_keyring-1.so.1.0.0
00384000-00385000 rw-p 00002000 08:01 1554702 /usr/lib/libsvn_auth_gnome_keyring-1.so.1.0.0
00399000-003dc000 r-xp 00000000 08:01 1554699 /usr/lib/libsvn_client-1.so.1.0.0
003dc000-003dd000 r--p 00042000 08:01 1554699 /usr/lib/libsvn_client-1.so.1.0.0
003dd000-003de000 rw-p 00043000 08:01 1554699 /usr/lib/libsvn_client-1.so.1.0.0
003de000-00401000 r-xp 00000000 08:01 1553634 /usr/lib/libneon-gnutls.so.27.1.4
00401000-00402000 r--p 00022000 08:01 1553634 /usr/lib/libneon-gnutls.so.27.1.4
00402000-00403000 rw-p 00023000 08:01 1553634 /usr/lib/libneon-gnutls.so.27.1.4
00413000-00433000 r-xp 00000000 08:01 1554285 /usr/lib/libsvn_ra_neon-1.so.1.0.0
00433000-00434000 ---p 00020000 08:01 1554285 /usr/lib/libsvn_ra_neon-1.so.1.0.0
00434000-00435000 r--p 00020000 08:01 1554285 /usr/lib/libsvn_ra_neon-1.so.1.0.0
00435000-00436000 rw-p 00021000 08:01 1554285 /usr/lib/libsvn_ra_neon-1.so.1.0.0
00436000-00461000 r-xp 00000000 08:01 1549319 /usr/lib/libgssapi_krb5.so.2.2
00461000-00462000 r--p 0002a000 08:01 1549319 /usr/lib/libgssapi_krb5.so.2.2
00462000-00463000 rw-p 0002b000 08:01 1549319 /usr/lib/libgssapi_krb5.so.2.2
00479000-004a1000 r-xp 00000000 08:01 1554700 /usr/lib/libsvn_repos-1.so.1.0.0
004a1000-004a2000 r--p 00027000 08:01 1554700 /usr/lib/libsvn_repos-1.so.1.0.0
004a2000-004a3000 rw-p 00028000 08:01 1554700 /usr/lib/libsvn_repos-1.so.1.0.0
004a3000-0052a000 r-xp 00000000 08:01 1549314 /usr/lib/libsqlite3.so.0.8.6
0052a000-0052b000 r--p 00087000 08:01 1549314 /usr/lib/libsqlite3.so.0.8.6
0052b000-0052c000 rw-p 00088000 08:01 1549314 /usr/lib/libsqlite3.so.0.8.6
0052c000-00555000 r-xp 00000000 08:01 1553047 /usr/lib/libk5crypto.so.3.1
00555000-00556000 r--p 00028000 08:01 1553047 /usr/lib/libk5crypto.so.3.1
00556000-00557000 rw-p 00029000 08:01 1553047 /usr/lib/libk5crypto.so.3.1
0055c000-0055f000 r-xp 00000000 08:01 2941268 /lib/libuuid.so.1.2
0055f000-00560000 r--p 00003000 08:01 2941268 /lib/libuuid.so.1.2
00560000-00561000 rw-p 00004000 08:01 2941268 /lib/libuuid.so.1.2
00561000-005a1000 r-xp 00000000 08:01 2941274 /lib/libdbus-1.so.3.4.0
005a1000-005a2000 r--p 0003f000 08:01 2941274 /lib/libdbus-1.so.3.4.0
005a2000-005a3000 rw-p 00040000 08:01 2941274 /lib/libdbus-1.so.3.4.0
005cd000-005d4000 r-xp 00000000 08:01 1554283 /usr/lib/libsvn_ra_local-1.so.1.0.0
005d4000-005d5000 r--p 00006000 08:01 1554283 /usr/lib/libsvn_ra_local-1.so.1.0.0
005d5000-005d6000 rw-p 00007000 08:01 1554283 /usr/lib/libsvn_ra_local-1.so.1.0.0
005d6000-00606000 r-xp 00000000 08:01 2941057 /lib/libpcre.so.3.12.1
00606000-00607000 r--p 0002f000 08:01 2941057 /lib/libpcre.so.3.12.1
00607000-00608000 rw-p 00030000 08:01 2941057 /lib/libpcre.so.3.12.1
00608000-00632000 r-xp 00000000 08:01 2942639 /lib/libgcc_s.so.1
00632000-00633000 r--p 00029000 08:01 2942639 /lib/libgcc_s.so.1
00633000-00634000 rw-p 0002a000 08:01 2942639 /lib/libgcc_s.so.1
00640000-00680000 r-xp 00000000 08:01 1552312 /usr/lib/libldap_r-2.4.so.2.4.1
00680000-00681000 ---p 00040000 08:01 1552312 /usr/lib/libldap_r-2.4.so.2.4.1
00681000-00682000 r--p 00040000 08:01 1552312 /usr/lib/libldap_r-2.4.so.2.4.1
00682000-00683000 rw-p 00041000 08:01 1552312 /usr/lib/libldap_r-2.4.so.2.4.1
00683000-00684000 rw-p 00000000 00:00 0
00684000-00728000 r-xp 00000000 08:01 1550086 /usr/lib/libgnutls.so.26.11.7
00728000-0072d000 r--p 000a4000 08:01 1550086 /usr/lib/libgnutls.so.26.11.7
0072d000-0072e000 rw-p 000a9000 08:01 1550086 /usr/lib/libgnutls.so.26.11.7
0073b000-00745000 r-xp 00000000 08:01 1554697 /usr/lib/libsvn_delta-1.so.1.0.0
00745000-00746000 r--p 00009000 08:01 1554697 /usr/lib/libsvn_delta-1.so.1.0.0
00746000-00747000 rw-p 0000a000 08:01 1554697 /usr/lib/libsvn_delta-1.so.1.0.0
007a2000-007ab000 r-xp 00000000 08:01 2959938 /lib/tls/i686/cmov/libcrypt-2.9.so
007ab000-007ac000 r--p 00008000 08:01 2959938 /lib/tls/i686/cmov/libcrypt-2.9.so
007ac000-007ad000 rw-p 00009000 08:01 2959938 /lib/tls/i686/cmov/libcrypt-2.9.so
007ad000-007d4000 rw-p 00000000 00:00 0
007d4000-0084d000 r-xp 00000000 08:01 2941807 /lib/libgcrypt.so.11.5.2
0084d000-0084e000 r--p 00078000 08:01 2941807 /lib/libgcrypt.so.11.5.2
0084e000-00850000 rw-p 00079000 Aborted
justin@justin-mininote:~/src$

Kees Cook (kees) wrote :

I cannot reproduce this. Do you have any special subversion (or gcrypt) configurations? On a karmic chroot, this checkout works for me without crashing.

Changed in libgcrypt11 (Ubuntu):
status: New → Incomplete
Justin Chudgar (justinzane) wrote :

I do not have any special configurations that I am aware of. Is there anything you would like me to attach?

BTW, this seems to have been the cause of the following bug. There might be info there that make sense to you.

https://bugs.launchpad.net/bugs/335898

The only thing special that I can think of is that I have a VIA C7 cpu with the Padlock hardware RNG. I don't know if that makes a difference.

On Thu, Jun 18, 2009 at 08:38:12PM -0000, justinchudgar wrote:
> I do not have any special configurations that I am aware of. Is there
> anything you would like me to attach?

Can you do the following:

cd /tmp
ulimit -c unlimited
svn co ....(the command that crashes)
bzip2 -9 core

and then attach that core file?

> https://bugs.launchpad.net/bugs/335898

Yeah, this bug came to my attention via that bug. :)

> The only thing special that I can think of is that I have a VIA C7 cpu
> with the Padlock hardware RNG. I don't know if that makes a difference.

Hm, it's possible, but seems weird that libgcrypt11 would be touching that
device.

Thanks!

As requested... the core dump.

On Thu, Jun 18, 2009 at 10:10:51PM -0000, justinchudgar wrote:
> As requested... the core dump.

Thanks! And, heh, I think we have a culprit:

#6 0x0033b4a4 in __stack_chk_fail_local () from /lib/libgcrypt.so.11
#7 0x00332d14 in poll_padlock (add=<value optimized out>, origin=<value optimized out>, fast=0) at rndhw.c:95

--
Kees Cook
Ubuntu Security Team

Changed in libgcrypt11 (Ubuntu):
status: Incomplete → Confirmed

Y'know... I'm really starting to hate VIA right now. The openchrome driver somehow stomps on the bcmwl driver, so I try to build the subversion version of openchrome... to find out that the padlock driver stomps on libgcrypt11. Oh, well.

Thanks for finding that so quickly.

Justin Chudgar (justinzane) wrote :

As one would expect, removing viarng from /etc/modules means that libgcrypt11 and its dependencies like svn and cupsd work. Since this is a regression, it would be nice to find a fix, but the work-around is not that painful. It will catch anyone with VIA hardware by surprise during the karmic upgrade, though.

tags: added: regression-potential
Changed in libgcrypt11 (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
tags: added: metabug
tags: removed: metabug

I have a Sylvania Gnetbook with a VIA C7-M CPU and can confirm it's the via-rng module, however once loaded, further unloading the module does not make the problem go away.

As per the changelog, libgcrypt added something dealing with RNGs between versions 1.4.1 and 1.4.2rc1:

2008-07-05 Werner Koch <email address hidden>

        * random/: New.
        * Makefile.am (DIST_SUBDIRS): Add random.
        * configure.ac (AC_CONFIG_FILES): Add random/Makefile.

the file random/rndhw.c contains Padlock specific code and the failing function - poll_padlock()

Documented for Redhat, fix submitted for Fedora 11, maybe a solution can be found examining their patch.

https://bugzilla.redhat.com/show_bug.cgi?id=505724

Fixes fatal crash on VIA processors with Padlock RNG.
https://admin.fedoraproject.org/updates/libgcrypt-1.4.4-6.fc11

patch extracted from redhat/fedora source rpm: libgcrypt-1.4.4-6.fc12.i586

* Thu Jun 18 2009 Tomas Mraz <email address hidden> 1.4.4-6
- and now really apply the padlock patch

* Wed Jun 17 2009 Tomas Mraz <email address hidden> 1.4.4-5
- fix VIA padlock RNG inline assembly call (#505724)

Applies cleanly to ubuntu source package libgcrypt11-1.4.4-2ubuntu1

Colin Watson (cjwatson) on 2009-07-02
summary: - libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing
+ libgcrypt11 version 1.4.4-2ubuntu1 causes stack smashing on VIA chipsets
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgcrypt11 - 1.4.4-2ubuntu2

---------------
libgcrypt11 (1.4.4-2ubuntu2) karmic; urgency=low

  * Fix stack smashing on VIA processors with Padlock RNG (patch by Tomas
    Mraz of Red Hat; thanks to Roberto Rosario for the archaeology; LP:
    #389053).

 -- Colin Watson <email address hidden> Thu, 02 Jul 2009 11:34:18 +0100

Changed in libgcrypt11 (Ubuntu Karmic):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.