strace stack buffer overflow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strace (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get install strace)
Environment : Ubuntu 14.04.1 LTS x86_64
Details:
stack buffer overflow in startup_child() strace.c
Input length check could be bypassed using long string without having '/' character.
So, the strcpy() function in PATH concat processing code starts to overwrite stack data.
-------------- TEST PAYLOAD
abc@ubuntu:~$ ./strace `perl -e 'print "a"x5042'`
Segmentation fault
-------------- Backtrace with debugging symbol
(gdb) r `perl -e 'print "a"x5042'`
Starting program: /home/abc/
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7fe3b81
85 getenv.c: No such file or directory.
(gdb) bt
#0 __GI_getenv (name=0x7fe3b81
#1 0x00007fe3b7fbc681 in guess_category_
at dcigettext.c:1372
#2 __dcigettext (domainname=
msgid2=
#3 0x00007fe3b7fbb5df in __GI___dcgettext (domainname=
at dcgettext.c:52
#4 0x00007fe3b801398e in __GI___strerror_r (errnum=
#5 0x00007fe3b80138cf in strerror (errnum=
#6 0x000000000041230f in verror_msg (err_no=36, fmt=fmt@
#7 0x000000000041315a in perror_msg_and_die (fmt=fmt@
#8 0x000000000041371e in startup_child (argv=0x7fff6b2
#9 0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()
information type: | Private Security → Public Security |
information type: | Public Security → Public |
We are experiencing this bug intermittently on the same version of ubuntu. 38b5b "NGUAGE", name@entry= 0x7fffecb38b59 "LANGUAGE") at getenv.c:85 38b5b "NGUAGE", name@entry= 0x7fffecb38b59 "LANGUAGE") at getenv.c:85 value (categoryname= 0x7fffecb226b3 <_nl_category_ names+51> "LC_MESSAGES", category=5) at dcigettext.c:1372 0x7fffecb38a99 <_libc_ intl_domainname > "libc", msgid1=0x32b5a60 "undefined symbol: libmyodbc5_ LTX_SQLAllocHan dle", msgid2= msgid2@ entry=0x0, plural= plural@ entry=0, n=n category@ entry=5) at dcigettext.c:573 <optimized out>, msgid=<optimized out>, category= category@ entry=5) at dcgettext.c:52 x86_64- linux-gnu/ libltdl. so.7 x86_64- linux-gnu/ libltdl. so.7 lib/unixODBC/ lib/libodbc. so.1 lib/unixODBC/ lib/libodbc. so.1
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7fffecb
85 getenv.c: No such file or directory.
(gdb) bt
#0 __GI_getenv (name=0x7fffecb
#1 0x00007fffec9ed681 in guess_category_
#2 __dcigettext (domainname=
@entry=0, category=
#3 0x00007fffec9ec5df in __GI___dcgettext (domainname=
#4 0x00007fffee01245b in __dlerror () at dlerror.c:94
#5 0x00007fffe89be525 in ?? () from /usr/lib/
#6 0x00007fffe89bd860 in lt_dlsym () from /usr/lib/
#7 0x00007fffef79d971 in ?? () from /usr/ort/
#8 0x00007fffef7cfa65 in SQLConnectW () from /usr/ort/