Ubuntu

nvram-wakeup buffer overflow detected

Reported by a1bert on 2009-05-01
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nvram-wakeup (Debian)
Fix Released
Unknown
nvram-wakeup (Ubuntu)
Undecided
Kees Cook
Intrepid
Undecided
Kees Cook
Jaunty
Undecided
Kees Cook
Karmic
Undecided
Kees Cook

Bug Description

Binary package hint: nvram-wakeup

nvram-wakeup 0.97-14lenny1 triggers buffer overflow protection (fortify?):

SRU STATEMENT: Package does not function at all on Jaunty, fixing the overflow solves this.
ADDRESSED: buffer overflow was identified and fixed.
TEST CASE: sudo nvram-wakeup -A -C /etc/nvram-wakeup.conf --settime 1441154840
REGRESSION POTENTIAL: none -- the package does not work at all currently.

/usr/sbin/nvram-wakeup -A -C /etc/nvram-wakeup.conf --settime
 1241154840
*** buffer overflow detected ***: /usr/sbin/nvram-wakeup terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f24da8]
/lib/tls/i686/cmov/libc.so.6[0xb7f22eb0]
/lib/tls/i686/cmov/libc.so.6[0xb7f225a8]
/lib/tls/i686/cmov/libc.so.6(_IO_default_xsputn+0xc8)[0xb7e94bb8]
/lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0x6f3)[0xb7e66f23]
/lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xa4)[0xb7f22654]
/lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb7f2259d]
/usr/sbin/nvram-wakeup[0x80522b9]
/usr/sbin/nvram-wakeup[0x80499ab]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7e3d775]
/usr/sbin/nvram-wakeup[0x8048d71]
======= Memory map: ========
08048000-0805f000 r-xp 00000000 08:02 783832 /usr/sbin/nvram-wakeup
0805f000-08060000 r--p 00016000 08:02 783832 /usr/sbin/nvram-wakeup
08060000-08061000 rw-p 00017000 08:02 783832 /usr/sbin/nvram-wakeup
08966000-08987000 rw-p 08966000 00:00 0 [heap]
b7e17000-b7e24000 r-xp 00000000 08:02 589901 /lib/libgcc_s.so.1
b7e24000-b7e25000 r--p 0000c000 08:02 589901 /lib/libgcc_s.so.1
b7e25000-b7e26000 rw-p 0000d000 08:02 589901 /lib/libgcc_s.so.1
b7e26000-b7e27000 rw-p b7e26000 00:00 0
b7e27000-b7f83000 r-xp 00000000 08:02 598956 /lib/tls/i686/cmov/libc-2.9.so
b7f83000-b7f84000 ---p 0015c000 08:02 598956 /lib/tls/i686/cmov/libc-2.9.so
b7f84000-b7f86000 r--p 0015c000 08:02 598956 /lib/tls/i686/cmov/libc-2.9.so
b7f86000-b7f87000 rw-p 0015e000 08:02 598956 /lib/tls/i686/cmov/libc-2.9.so
b7f87000-b7f8a000 rw-p b7f87000 00:00 0
b7f9d000-b7f9f000 rw-p b7f9d000 00:00 0
b7f9f000-b7fa0000 r-xp b7f9f000 00:00 0 [vdso]
b7fa0000-b7fbc000 r-xp 00000000 08:02 589858 /lib/ld-2.9.so
b7fbc000-b7fbd000 r--p 0001b000 08:02 589858 /lib/ld-2.9.so
b7fbd000-b7fbe000 rw-p 0001c000 08:02 589858 /lib/ld-2.9.so
bfca9000-bfcbe000 rw-p bffeb000 00:00 0 [stack]
Aborted

temporary workaround: compile with -D_FORTIFY_SOURCE=0 -fno-stack-protector

a1bert (a1bert) on 2009-05-01
tags: removed: overflow
raulelmagico (ralph-kulhanek) wrote :

servus albert,

I need some help with your workaround:

"temporary workaround: compile with -D_FORTIFY_SOURCE=0 -fno-stack-protector"

I don´t know how to apply that! I guess I have to add this line somewhere in the Makefile, but I dont know how!
Im new in the Ubuntu universe, so I would be very happy about some assistance of yours.

thx!

hi, add it to CFLAGS variable in Makefile:

CFLAGS = -O2 -Wall -Wstrict-prototypes -g -pedantic
$(DEFS) -D_FORTIFY_SOURCE=0 -fno-stack-protector

jn

On Thursday 14 of May 2009 17:35:35 raulelmagico wrote:
> servus albert,
>
> I need some help with your workaround:
>
> "temporary workaround: compile with -D_FORTIFY_SOURCE=0 -fno-stack-
> protector"
>
> I don´t know how to apply that! I guess I have to add this line somewhere
> in the Makefile, but I dont know how! Im new in the Ubuntu universe, so I
> would be very happy about some assistance of yours.
>
> thx!

Willem Ligtenberg (wligtenberg) wrote :

Since there are already 2 reports and I am the third I am marking this one as confirmed.

Changed in nvram-wakeup (Ubuntu):
status: New → Confirmed
Kees Cook (kees) wrote :

-fno-stack-protector will not change this behavior. The abort reported is from FORTIFY. The better solution would to be to find the sprintf that is failing and fix that bug. :) Some details:
https://wiki.ubuntu.com/CompilerFlags

a1bert (a1bert) wrote :

you are right, but after disabling fortify, you get "stack smashing detected"
error , so it's necessary to disable stack protector too to get working
binary.

and ofcourse it's not a fix, it's just temporary workaround...

*** stack smashing detected ***: ./nvram-wakeup terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb8047da8]
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x0)[0xb8047d60]
./nvram-wakeup[0x8052d0e]
./nvram-wakeup[0x8049927]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7f60775]
./nvram-wakeup[0x8048cd1]
======= Memory map: ========

Kees Cook (kees) wrote :

Here's the patch to fix the overflow. I've attached it to the upstream bug report too:
https://sourceforge.net/tracker/?func=detail&aid=2782757&group_id=35022&atid=412755

Changed in nvram-wakeup (Ubuntu Jaunty):
status: New → Triaged
Changed in nvram-wakeup (Ubuntu Intrepid):
status: New → Triaged
Changed in nvram-wakeup (Ubuntu Karmic):
assignee: nobody → Kees Cook (kees)
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvram-wakeup - 0.99b-1ubuntu1

---------------
nvram-wakeup (0.99b-1ubuntu1) karmic; urgency=low

  * tools.c: fix buffer overflow in xxd (LP: #370261, debian bug 529074).

 -- Kees Cook <email address hidden> Sun, 17 May 2009 08:47:35 -0700

Changed in nvram-wakeup (Ubuntu Karmic):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2009-05-17
Changed in nvram-wakeup (Ubuntu Jaunty):
status: Triaged → In Progress
Changed in nvram-wakeup (Ubuntu Intrepid):
status: Triaged → In Progress
description: updated
Changed in nvram-wakeup (Ubuntu Intrepid):
assignee: nobody → Kees Cook (kees)
Kees Cook (kees) wrote :

(While intrepid's version technically works, if it were recompiled for another SRU, it would fail. For now, in the interests of minimal changes and no regressions, intrepid can be skipped.)

Changed in nvram-wakeup (Ubuntu Jaunty):
assignee: nobody → Kees Cook (kees)
description: updated
Changed in nvram-wakeup (Ubuntu Intrepid):
status: In Progress → Invalid
description: updated
Kees Cook (kees) wrote :

A fixed package for Jaunty has been uploaded to -proposed. Once it is accepted, it will need to be tested before it is published to the -updates pocket. Thanks again for the bug report!

Changed in nvram-wakeup (Debian):
status: Unknown → Fix Released
Martin Pitt (pitti) wrote :

Accepted nvram-wakeup into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in nvram-wakeup (Ubuntu Jaunty):
status: In Progress → Fix Committed
tags: added: verification-needed
John Veness (pelago) wrote :

I had the same buffer overflow problem in Jaunty but the package in jaunty-proposed has fixed it for me. Many thanks.

Martin Pitt (pitti) on 2009-08-02
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nvram-wakeup - 0.97-14lenny1ubuntu0.1

---------------
nvram-wakeup (0.97-14lenny1ubuntu0.1) jaunty-proposed; urgency=low

  * debian/patches/20_fix-xxd-overflow.dpatch: fix buffer overflow in xxd
    (LP: #370261, debian bug 529074).

 -- Kees Cook <email address hidden> Sun, 17 May 2009 09:15:31 -0700

Changed in nvram-wakeup (Ubuntu Jaunty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.