noble/rsync buffer overflow detected

Bug #2060967 reported by Sascha Lucas
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
rsync (Ubuntu)
Fix Released
Critical
Mitchell Dzurick
Focal
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Mantic
Invalid
Undecided
Unassigned

Bug Description

Hi,

running the following test case in a current (today/2024-04-11) Noble install leads to a "buffer overflow detected":

$ rsync -F --delete-after --archive /etc/fstab 127.0.0.1:/tmp/
*** buffer overflow detected ***: terminated
rsync: connection unexpectedly closed (11 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(231) [sender=3.2.7]

Original use case for the above striped down rsync options is the ansible module "synchronize".

ProblemType: Bug
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Thu Apr 11 14:38:46 2024
Dependencies:
 gcc-14-base 14-20240330-1ubuntu2
 init-system-helpers 1.66ubuntu1
 libacl1 2.3.2-1
 libc6 2.39-0ubuntu8
 libgcc-s1 14-20240330-1ubuntu2
 libidn2-0 2.3.7-2
 liblz4-1 1.9.4-1
 libpopt0 1.19+dfsg-1
 libunistring5 1.1-2
 libxxhash0 0.8.2-2
 libzstd1 1.5.5+dfsg2-2
 lsb-base 11.6
 sysvinit-utils 3.08-6ubuntu2
 zlib1g 1:1.3.dfsg-3.1ubuntu2
DistroRelease: Ubuntu 24.04
Package: rsync 3.2.7-1build2
PackageArchitecture: amd64
ProcCpuinfoMinimal:
 processor : 0
 vendor_id : GenuineIntel
 cpu family : 6
 model : 60
 model name : Intel Core Processor (Haswell, no TSX, IBRS)
 stepping : 1
 microcode : 0x1
 cpu MHz : 2397.222
 cache size : 16384 KB
 physical id : 0
 siblings : 1
 core id : 0
 cpu cores : 1
 apicid : 0
 initial apicid : 0
 fpu : yes
 fpu_exception : yes
 cpuid level : 13
 wp : yes
 flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm cpuid_fault pti ssbd ibrs ibpb fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt arat md_clear
 bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf mds swapgs itlb_multihit srbds mmio_unknown
 bogomips : 4794.44
 clflush size : 64
 cache_alignment : 64
 address sizes : 40 bits physical, 48 bits virtual
 power management:
ProcEnviron:
 LANG=en_US.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/bash
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
ProcVersionSignature: Ubuntu 6.8.0-22.22-generic 6.8.1
SourcePackage: rsync
Tags: noble
Uname: Linux 6.8.0-22-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
_MarkForUpload: True

Related branches

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in rsync (Ubuntu):
status: New → Confirmed
Revision history for this message
Mitchell Dzurick (mitchdz) wrote (last edit ):

I was able to reproduce this in a noble LXD container.

$ lxc launch ubuntu-daily:noble n
$ lxc shell n
# ssh-keygen -t rsa
# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
# touch testfile.txt
# rsync -F --delete-after --archive /root/testfile.txt 127.0.0.1:/tmp/
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:1w9TL8K1uwpKXpyd9rFuNQPQNJ5EolG3NGNbdkUl9VE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
*** buffer overflow detected ***: terminated

rsync: connection unexpectedly closed (34 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(231) [sender=3.2.7]

Revision history for this message
Mitchell Dzurick (mitchdz) wrote (last edit ):

Quickly testing Focal/Jammy/Mantic in a similar fashion as above I do not see the buffer overflow.

Changed in rsync (Ubuntu):
status: Confirmed → Triaged
Changed in rsync (Ubuntu Focal):
status: New → Invalid
Changed in rsync (Ubuntu Jammy):
status: New → Invalid
Changed in rsync (Ubuntu Mantic):
status: New → Invalid
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

This looks like it could already be fixed in debian with https://salsa.debian.org/debian/rsync/-/commit/d3a0eccf989175b096c10b6c42b02b1ee1306a00

I'll try an ubuntu build with this patch and report back.

Changed in rsync (Ubuntu):
assignee: nobody → Mitchell Dzurick (mitchdz)
status: Triaged → In Progress
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

The debian patch looks promising in my local testing. I uploaded a test package to run dep8 tests against. If those look green I'll submit my MP and get it in ASAP.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm surprised this wasn't caught by the DEP8 tests. Care to also perhaps add a simple smoke test, like (note it's not using ssh or any network):

$ rsync -F --delete-after --archive /etc/os-release /tmp/
*** buffer overflow detected ***: terminated
rsync: connection unexpectedly closed (34 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(231) [sender=3.2.7]

Changed in rsync (Ubuntu):
importance: Undecided → High
importance: High → Critical
Revision history for this message
Mitchell Dzurick (mitchdz) wrote :

Package is in proposed now. Testing in an LXC container shows a fix of this behavior.

$ lxc launch ubuntu-daily:noble n

$ lxc shell n

# dpkg -s rsync | grep Version:
Version: 3.2.7-1build2

# rsync -F --delete-after --archive /etc/os-release /tmp/
*** buffer overflow detected ***: terminated
rsync: connection unexpectedly closed (11 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(231) [sender=3.2.7]

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update -y

# apt install rsync -t noble-proposed
Get:1 http://archive.ubuntu.com/ubuntu noble-proposed/main amd64 rsync amd64 3.2.7-1ubuntu1 [435 kB]
Fetched 435 kB in 1s (657 kB/s)
(Reading database ... 34265 files and directories currently installed.)
Preparing to unpack .../rsync_3.2.7-1ubuntu1_amd64.deb ...
Unpacking rsync (3.2.7-1ubuntu1) over (3.2.7-1build2) ...
Setting up rsync (3.2.7-1ubuntu1) ...
rsync.service is a disabled or a static unit not running, not starting it.
Processing triggers for man-db (2.12.0-4build1) ...
Scanning processes...
Scanning candidates...

# dpkg -s rsync | grep Version:
Version: 3.2.7-1ubuntu1

# rsync -F --delete-after --archive /etc/os-release /tmp/

# echo $?
0

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rsync - 3.2.7-1ubuntu1

---------------
rsync (3.2.7-1ubuntu1) noble; urgency=medium

  * add d/p/fix_crashes_with_fortified_strlcpy.patch (LP: #2060967)
    - Fixes a buffer overflow when using -F flag.

 -- Mitchell Dzurick <email address hidden> Fri, 12 Apr 2024 10:09:41 -0700

Changed in rsync (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.