Ubuntu
strace package

Memory corruption in strace

Bug #367625 reported by Paweł Smoliński
256
Affects Status Importance Assigned to Milestone
strace (Ubuntu)
Expired
Undecided
Unassigned
Nominated for Jaunty by kpox

Bug Description

Binary package hint: strace

System: Kubuntu 9.04 (amd64, updated from 8.10) with backports and proposed repositories enabled.

When I'm trying to strace firefox, strace crash due to memory corruption:
pawel@galileo:~$ strace firefox 2&>1 > firefox.strace
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x000000000133e610 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f3310329cb8]
/lib/libc.so.6[0x7f331032d351]
/lib/libc.so.6(__libc_malloc+0x98)[0x7f331032e828]
strace[0x4087d8]
strace[0x405c0e]
strace[0x404916]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f33102d05a6]
strace[0x402119]
======= Memory map: ========
00400000-00447000 r-xp 00000000 08:02 254867 /usr/bin/strace
00646000-00647000 r--p 00046000 08:02 254867 /usr/bin/strace
00647000-00648000 rw-p 00047000 08:02 254867 /usr/bin/strace
00648000-00656000 rw-p 00648000 00:00 0
0133e000-0135f000 rw-p 0133e000 00:00 0 [heap]
7f330c000000-7f330c021000 rw-p 7f330c000000 00:00 0
7f330c021000-7f3310000000 ---p 7f330c021000 00:00 0
7f331009a000-7f33100b0000 r-xp 00000000 08:02 879483 /lib/libgcc_s.so.1
7f33100b0000-7f33102b0000 ---p 00016000 08:02 879483 /lib/libgcc_s.so.1
7f33102b0000-7f33102b1000 r--p 00016000 08:02 879483 /lib/libgcc_s.so.1
7f33102b1000-7f33102b2000 rw-p 00017000 08:02 879483 /lib/libgcc_s.so.1
7f33102b2000-7f331041a000 r-xp 00000000 08:02 879462 /lib/libc-2.9.so
7f331041a000-7f331061a000 ---p 00168000 08:02 879462 /lib/libc-2.9.so
7f331061a000-7f331061e000 r--p 00168000 08:02 879462 /lib/libc-2.9.so
7f331061e000-7f331061f000 rw-p 0016c000 08:02 879462 /lib/libc-2.9.so
7f331061f000-7f3310624000 rw-p 7f331061f000 00:00 0
7f3310624000-7f3310644000 r-xp 00000000 08:02 879459 /lib/ld-2.9.so
7f331081c000-7f331081e000 rw-p 7f331081c000 00:00 0
7f3310840000-7f3310843000 rw-p 7f3310840000 00:00 0
7f3310843000-7f3310844000 r--p 0001f000 08:02 879459 /lib/ld-2.9.so
7f3310844000-7f3310845000 rw-p 00020000 08:02 879459 /lib/ld-2.9.so
7fff1882f000-7fff18844000 rw-p 7ffffffea000 00:00 0 [stack]
7fff189fe000-7fff189ff000 r-xp 7fff189fe000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted

More information about system:

pawel@galileo:~$ dpkg -l | grep strace
ii strace 4.5.17+cvs080723-2ubuntu1 A system call tracer

pawel@galileo:~$ /lib/libc.so.6
GNU C Library stable release version 2.9, by Roland McGrath et al.
Copyright (C) 2008 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.3.3.
Compiled on a Linux >>2.6.24-16-server<< system on 2009-04-09.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
For bug reporting instructions, please see:
<http://www.gnu.org/software/libc/bugs.html>.

pawel@galileo:~$ cat /proc/version
Linux version 2.6.28-11-generic (buildd@crested) (gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4) ) #42-Ubuntu SMP Fri Apr 17 01:58:03 UTC 2009

Tags: security
Revision history for this message
Paweł Smoliński (pawel-smolinski-linux) wrote :

Got the same when stracing Skype (32-bit app on 64bit system):
pawel@galileo:~/bin/skype$ strace ./skype --enable-dbus --use-system-dbus 2> /home/pawel/down/tmp/skype.log
[ Process PID=7200 runs in 32 bit mode. ]
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x00000000017467d0 ***
======= Backtrace: =========
/lib/libc.so.6[0x7f2f0862ecb8]
/lib/libc.so.6[0x7f2f08632351]
/lib/libc.so.6(__libc_malloc+0x98)[0x7f2f08633828]
strace[0x4087d8]
strace[0x405c0e]
strace[0x404916]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f2f085d55a6]
strace[0x402119]
======= Memory map: ========
00400000-00447000 r-xp 00000000 08:02 254867 /usr/bin/strace
00646000-00647000 r--p 00046000 08:02 254867 /usr/bin/strace
00647000-00648000 rw-p 00047000 08:02 254867 /usr/bin/strace
00648000-00656000 rw-p 00648000 00:00 0
01746000-01767000 rw-p 01746000 00:00 0 [heap]
7f2f04000000-7f2f04021000 rw-p 7f2f04000000 00:00 0
7f2f04021000-7f2f08000000 ---p 7f2f04021000 00:00 0
7f2f0839f000-7f2f083b5000 r-xp 00000000 08:02 879483 /lib/libgcc_s.so.1
7f2f083b5000-7f2f085b5000 ---p 00016000 08:02 879483 /lib/libgcc_s.so.1
7f2f085b5000-7f2f085b6000 r--p 00016000 08:02 879483 /lib/libgcc_s.so.1
7f2f085b6000-7f2f085b7000 rw-p 00017000 08:02 879483 /lib/libgcc_s.so.1
7f2f085b7000-7f2f0871f000 r-xp 00000000 08:02 879462 /lib/libc-2.9.so
7f2f0871f000-7f2f0891f000 ---p 00168000 08:02 879462 /lib/libc-2.9.so
7f2f0891f000-7f2f08923000 r--p 00168000 08:02 879462 /lib/libc-2.9.so
7f2f08923000-7f2f08924000 rw-p 0016c000 08:02 879462 /lib/libc-2.9.so
7f2f08924000-7f2f08929000 rw-p 7f2f08924000 00:00 0
7f2f08929000-7f2f08949000 r-xp 00000000 08:02 879459 /lib/ld-2.9.so
7f2f08b20000-7f2f08b22000 rw-p 7f2f08b20000 00:00 0
7f2f08b44000-7f2f08b48000 rw-p 7f2f08b44000 00:00 0
7f2f08b48000-7f2f08b49000 r--p 0001f000 08:02 879459 /lib/ld-2.9.so
7f2f08b49000-7f2f08b4a000 rw-p 00020000 08:02 879459 /lib/ld-2.9.so
7fff10b34000-7fff10b49000 rw-p 7ffffffea000 00:00 0 [stack]
7fff10bfe000-7fff10bff000 r-xp 7fff10bfe000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted

Revision history for this message
Jesse Burt (avsa242) wrote :

I get this as well running warzone2100 under strace (64bit user/64bit kernel)

Revision history for this message
Tomas Pospisek (tpo-deb) wrote :
Download full text (4.5 KiB)

Mind you, this is also possibly security relevant, since memory corruption means (AFAIK) that strace is writing into memory where it has no business writing to. If the straced program is able to make strace write data of its own will there, then it can possibly manipulate strace.

The bug is certainly reproducible with the programm that is currently running. I don't know wheter I can reploduce it at will later.

The programm being traced is a Java application with plenty of threads (other than the first PID these are threads).

Also of note is, that this is also a 64bit AMD machine, same as the other reporters noted.

$ strace -p 6896 -p 6960 -p 6961 -p 6962 -p 6963 -p 6964 -p 6965 -p 6966 -p 6967 -p 6968 -p 6969 -p 6970 -p 6974 -p 14369 -p 14370 2>/tmp/kaksme
*** glibc detected *** strace: malloc(): memory corruption (fast): 0x0000000000c20630 ***
======= Backtrace: =========
/lib/libc.so.6[0x7fba31239cb8]
/lib/libc.so.6[0x7fba3123d351]
/lib/libc.so.6(__libc_malloc+0x98)[0x7fba3123e828]
strace[0x4087d8]
strace[0x405c0e]
strace[0x404916]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fba311e05a6]
strace[0x402119]
======= Memory map: ========
00400000-00447000 r-xp 00000000 08:05 587743 /usr/bin/strace
00646000-00647000 r--p 00046000 08:05 587743 /usr/bin/strace
00647000-00648000 rw-p 00047000 08:05 587743 /usr/bin/strace
00648000-00656000 rw-p 00648000 00:00 0
00c1d000-00c3e000 rw-p 00c1d000 00:00 0 [heap]
7fba2c000000-7fba2c021000 rw-p 7fba2c000000 00:00 0
7fba2c021000-7fba30000000 ---p 7fba2c021000 00:00 0
7fba30faa000-7fba30fc0000 r-xp 000...

Read more...

Revision history for this message
Tomas Pospisek (tpo-deb) wrote :

Anybody knows how to add a "security" tag to this?

Revision history for this message
Paweł Smoliński (pawel-smolinski-linux) wrote :

Added security tag and marked bug as "Security vulnerability"

tags: added: security
security vulnerability: no → yes
Revision history for this message
Kees Cook (kees) wrote :

Would it be possible to try this on Ubuntu Karmic (Alpha 5 or newer), since these corruptions will be caught by apport and a more detailed report can be attached? Thanks!

Changed in strace (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for strace (Ubuntu) because there has been no activity for 60 days.]

Changed in strace (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.