[Bug 1426635] Re: strace stack buffer overflow
chpie
chpie at grayhash.com
Tue Apr 28 14:53:23 UTC 2015
Hello, that bug is fixed by the author of trace
Please check commit v4.9-356-g1dbd39e in the main strace repository.
> 2015. 4. 28., 오후 11:41, Launchpad Bug Tracker <1426635 at bugs.launchpad.net> 작성:
>
> Status changed to 'Confirmed' because the bug affects multiple users.
>
> ** Changed in: strace (Ubuntu)
> Status: New => Confirmed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1426635
>
> Title:
> strace stack buffer overflow
>
> Status in strace package in Ubuntu:
> Confirmed
>
> Bug description:
>
> Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get install strace)
> Environment : Ubuntu 14.04.1 LTS x86_64
> Details:
>
> stack buffer overflow in startup_child() strace.c
>
> Input length check could be bypassed using long string without having '/' character.
> So, the strcpy() function in PATH concat processing code starts to overwrite stack data.
>
>
> -------------- TEST PAYLOAD
>
> abc at ubuntu:~$ ./strace `perl -e 'print "a"x5042'`
> Segmentation fault
>
> -------------- Backtrace with debugging symbol
>
> (gdb) r `perl -e 'print "a"x5042'`
> Starting program: /home/abc/strace-4.9/strace `perl -e 'print "a"x5042'`
>
> Program received signal SIGSEGV, Segmentation fault.
> __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name at entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
> 85 getenv.c: No such file or directory.
> (gdb) bt
> #0 __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name at entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
> #1 0x00007fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3 <_nl_category_names+51> "LC_MESSAGES", category=5)
> at dcigettext.c:1372
> #2 __dcigettext (domainname=0x7fe3b8107a99 <_libc_intl_domainname> "libc", msgid1=0x7fe3b81081ac "File name too long",
> msgid2=msgid2 at entry=0x0, plural=plural at entry=0, n=n at entry=0, category=category at entry=5) at dcigettext.c:573
> #3 0x00007fe3b7fbb5df in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category at entry=5)
> at dcgettext.c:52
> #4 0x00007fe3b801398e in __GI___strerror_r (errnum=errnum at entry=36, buf=buf at entry=0x0, buflen=buflen at entry=0) at _strerror.c:71
> #5 0x00007fe3b80138cf in strerror (errnum=errnum at entry=36) at strerror.c:32
> #6 0x000000000041230f in verror_msg (err_no=36, fmt=fmt at entry=0x4273da "Can't stat '%s'", p=p at entry=0x7fff6b28dbf8) at strace.c:277
> #7 0x000000000041315a in perror_msg_and_die (fmt=fmt at entry=0x4273da "Can't stat '%s'") at strace.c:323
> #8 0x000000000041371e in startup_child (argv=0x7fff6b28f160) at strace.c:1220
> #9 0x6161616161616161 in ?? ()
> #10 0x6161616161616161 in ?? ()
> #11 0x6161616161616161 in ?? ()
> #12 0x6161616161616161 in ?? ()
> #13 0x6161616161616161 in ?? ()
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/strace/+bug/1426635/+subscriptions
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to strace in Ubuntu.
https://bugs.launchpad.net/bugs/1426635
Title:
strace stack buffer overflow
Status in strace package in Ubuntu:
Confirmed
Bug description:
Tested Version : strace-4.9 (from strace sourceforge), strace-4.8 (apt-get install strace)
Environment : Ubuntu 14.04.1 LTS x86_64
Details:
stack buffer overflow in startup_child() strace.c
Input length check could be bypassed using long string without having '/' character.
So, the strcpy() function in PATH concat processing code starts to overwrite stack data.
-------------- TEST PAYLOAD
abc at ubuntu:~$ ./strace `perl -e 'print "a"x5042'`
Segmentation fault
-------------- Backtrace with debugging symbol
(gdb) r `perl -e 'print "a"x5042'`
Starting program: /home/abc/strace-4.9/strace `perl -e 'print "a"x5042'`
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name at entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
85 getenv.c: No such file or directory.
(gdb) bt
#0 __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name at entry=0x7fe3b8107b59 "LANGUAGE") at getenv.c:85
#1 0x00007fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3 <_nl_category_names+51> "LC_MESSAGES", category=5)
at dcigettext.c:1372
#2 __dcigettext (domainname=0x7fe3b8107a99 <_libc_intl_domainname> "libc", msgid1=0x7fe3b81081ac "File name too long",
msgid2=msgid2 at entry=0x0, plural=plural at entry=0, n=n at entry=0, category=category at entry=5) at dcigettext.c:573
#3 0x00007fe3b7fbb5df in __GI___dcgettext (domainname=<optimized out>, msgid=<optimized out>, category=category at entry=5)
at dcgettext.c:52
#4 0x00007fe3b801398e in __GI___strerror_r (errnum=errnum at entry=36, buf=buf at entry=0x0, buflen=buflen at entry=0) at _strerror.c:71
#5 0x00007fe3b80138cf in strerror (errnum=errnum at entry=36) at strerror.c:32
#6 0x000000000041230f in verror_msg (err_no=36, fmt=fmt at entry=0x4273da "Can't stat '%s'", p=p at entry=0x7fff6b28dbf8) at strace.c:277
#7 0x000000000041315a in perror_msg_and_die (fmt=fmt at entry=0x4273da "Can't stat '%s'") at strace.c:323
#8 0x000000000041371e in startup_child (argv=0x7fff6b28f160) at strace.c:1220
#9 0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strace/+bug/1426635/+subscriptions
More information about the foundations-bugs
mailing list