strace stack buffer overflow

Bug #1426635 reported by chpie on 2015-02-28
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
strace (Ubuntu)
Undecided
Unassigned

Bug Description

Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get install strace)
Environment : Ubuntu 14.04.1 LTS x86_64
Details:

stack buffer overflow in startup_child() strace.c

Input length check could be bypassed using long string without having '/' character.
So, the strcpy() function in PATH concat processing code starts to overwrite stack data.

-------------- TEST PAYLOAD

abc@ubuntu:~$ ./strace `perl -e 'print "a"x5042'`
Segmentation fault

-------------- Backtrace with debugging symbol

(gdb) r `perl -e 'print "a"x5042'`
Starting program: /home/abc/strace-4.9/strace `perl -e 'print "a"x5042'`

Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
85 getenv.c: No such file or directory.
(gdb) bt
#0 __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
#1 0x00007fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3 <_nl_category_names+51> "LC_MESSAGES", category=5)
    at dcigettext.c:1372
#2 __dcigettext (domainname=0x7fe3b8107a99 <_libc_intl_domainname> "libc", msgid1=0x7fe3b81081ac "File name too long",
    msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=category@entry=5) at dcigettext.c:573
#3 0x00007fe3b7fbb5df in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5)
    at dcgettext.c:52
#4 0x00007fe3b801398e in __GI___strerror_r (errnum=errnum@entry=36, buf=buf@entry=0x0, buflen=buflen@entry=0) at _strerror.c:71
#5 0x00007fe3b80138cf in strerror (errnum=errnum@entry=36) at strerror.c:32
#6 0x000000000041230f in verror_msg (err_no=36, fmt=fmt@entry=0x4273da "Can't stat '%s'", p=p@entry=0x7fff6b28dbf8) at strace.c:277
#7 0x000000000041315a in perror_msg_and_die (fmt=fmt@entry=0x4273da "Can't stat '%s'") at strace.c:323
#8 0x000000000041371e in startup_child (argv=0x7fff6b28f160) at strace.c:1220
#9 0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()

chpie (chpie) on 2015-02-28
information type: Private Security → Public Security
chpie (chpie) on 2015-02-28
information type: Public Security → Public
Chris Gabe (cgabe) wrote :

We are experiencing this bug intermittently on the same version of ubuntu.
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7fffecb38b5b "NGUAGE", name@entry=0x7fffecb38b59 "LANGUAGE") at getenv.c:85
85 getenv.c: No such file or directory.
(gdb) bt
#0 __GI_getenv (name=0x7fffecb38b5b "NGUAGE", name@entry=0x7fffecb38b59 "LANGUAGE") at getenv.c:85
#1 0x00007fffec9ed681 in guess_category_value (categoryname=0x7fffecb226b3 <_nl_category_names+51> "LC_MESSAGES", category=5) at dcigettext.c:1372
#2 __dcigettext (domainname=0x7fffecb38a99 <_libc_intl_domainname> "libc", msgid1=0x32b5a60 "undefined symbol: libmyodbc5_LTX_SQLAllocHandle", msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n
@entry=0, category=category@entry=5) at dcigettext.c:573
#3 0x00007fffec9ec5df in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5) at dcgettext.c:52
#4 0x00007fffee01245b in __dlerror () at dlerror.c:94
#5 0x00007fffe89be525 in ?? () from /usr/lib/x86_64-linux-gnu/libltdl.so.7
#6 0x00007fffe89bd860 in lt_dlsym () from /usr/lib/x86_64-linux-gnu/libltdl.so.7
#7 0x00007fffef79d971 in ?? () from /usr/ort/lib/unixODBC/lib/libodbc.so.1
#8 0x00007fffef7cfa65 in SQLConnectW () from /usr/ort/lib/unixODBC/lib/libodbc.so.1

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in strace (Ubuntu):
status: New → Confirmed
Download full text (3.4 KiB)

Hello, that bug is fixed by the author of trace
Please check commit v4.9-356-g1dbd39e in the main strace repository.

> 2015. 4. 28., 오후 11:41, Launchpad Bug Tracker <email address hidden> 작성:
>
> Status changed to 'Confirmed' because the bug affects multiple users.
>
> ** Changed in: strace (Ubuntu)
> Status: New => Confirmed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1426635
>
> Title:
> strace stack buffer overflow
>
> Status in strace package in Ubuntu:
> Confirmed
>
> Bug description:
>
> Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get install strace)
> Environment : Ubuntu 14.04.1 LTS x86_64
> Details:
>
> stack buffer overflow in startup_child() strace.c
>
> Input length check could be bypassed using long string without having '/' character.
> So, the strcpy() function in PATH concat processing code starts to overwrite stack data.
>
>
> -------------- TEST PAYLOAD
>
> abc@ubuntu:~$ ./strace `perl -e 'print "a"x5042'`
> Segmentation fault
>
> -------------- Backtrace with debugging symbol
>
> (gdb) r `perl -e 'print "a"x5042'`
> Starting program: /home/abc/strace-4.9/strace `perl -e 'print "a"x5042'`
>
> Program received signal SIGSEGV, Segmentation fault.
> __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
> 85 getenv.c: No such file or directory.
> (gdb) bt
> #0 __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
> #1 0x00007fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3 <_nl_category_names+51> "LC_MESSAGES", category=5)
> at dcigettext.c:1372
> #2 __dcigettext (domainname=0x7fe3b8107a99 <_libc_intl_domainname> "libc", msgid1=0x7fe3b81081ac "File name too long",
> msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0, category=category@entry=5) at dcigettext.c:573
> #3 0x00007fe3b7fbb5df in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category@entry=5)
> at dcgettext.c:52
> #4 0x00007fe3b801398e in __GI___strerror_r (errnum=errnum@entry=36, buf=buf@entry=0x0, buflen=buflen@entry=0) at _strerror.c:71
> #5 0x00007fe3b80138cf in strerror (errnum=errnum@entry=36) at strerror.c:32
> #6 0x000000000041230f in verror_msg (err_no=36, fmt=fmt@entry=0x4273da "Can't stat '%s'", p=p@entry=0x7fff6b28dbf8) at strace.c:277
> #7 0x000000000041315a in perror_msg_and_die (fmt=fmt@entry=0x4273da "Can't stat '%s'") at strace.c:323
> #8 0x000000000041371e in startup_child (argv=0x7fff6b28f160) at stra...

Read more...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers