[Bug 1926379] Re: stack smashing attack detected in bash host tab completion

Mon Nov 29 23:36:11 UTC 2021

So I don't know exactly what was going on with sarnold's machine but I
now finally understand why the 0ubuntu9.3 update caused problems:

The tls accounting patch added a glibc tunable
(https://www.gnu.org/software/libc/manual/html_node/Tunables.html). A
tunable is defined internally as a name and a type (and some other data)
but during the build it also gets assigned an ID and unfortunately the
tunable added by the tls accounting patch ends changing the ID of the
glibc.pthread.mutex_spin_count tunable. The problems occur when you have
a new dynamic linker / ld.so but an old libpthread.so: libpthread.so's
_init function calls get_tunable with the ID for
glibc.pthread.mutex_spin_count, but get_tunable is implemented in ld.so,
where this ID corresponds to the new glibc.rtld.nns tunable. The type
for glibc.pthread.mutex_spin_count is int32 and the type for
glibc.rtld.nns is size_t, so when get_tunable writes the value into the
pointer it is passed, it does indeed smash the stack. Even if this
doesn't happen, libpthread might well misbehave in all sorts of ways if
gets back values appropriate for glibc.rtld.nns when it's expecting
values for glibc.pthread.mutex_spin_count.

So this explains the behaviour seen in bug 1926355, completely. What I
don't understand wrt this bug is that "new ld.so / old libpthread.so"
should be a very temporary situation during an upgrade. I guess a
process that has the old ld.so loaded might dlopen the new libpthread.so
and experience a similar issue, although dlopening libpthread isn't
really a think that works aiui. But it could be a similar problem with
some other library.

Unfortunately, this means that upgrades from 0ubuntu9.3 to 0ubuntu9.4
are vulnerable to the same issue.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1926379

Title:
  stack smashing attack detected in bash host tab completion

Status in glibc package in Ubuntu:
  Confirmed

Bug description:
  Hello, this is a speculative bug report at best.

  In some long-lived bash terminals, tab completion of hostnames on ping
  or ssh commands is printing the glibc stack smashing attempt error
  message:

  $ ping goog*** stack smashing detected ***: terminated
  ^C
  $ ssh local*** stack smashing detected ***: terminated
  host ^C

  I installed the glibc update 2.31-0ubuntu9.3
  https://lists.ubuntu.com/archives/focal-changes/2021-April/024256.html
  earlier today. Shells started *after* this update work fine. Shells
  started before this update show this behaviour.

  $ cat /proc/$$/maps
  55f1986be000-55f1986eb000 r--p 00000000 00:1c 337406                     /usr/bin/bash
  55f1986eb000-55f19879c000 r-xp 0002d000 00:1c 337406                     /usr/bin/bash
  55f19879c000-55f1987d3000 r--p 000de000 00:1c 337406                     /usr/bin/bash
  55f1987d3000-55f1987d7000 r--p 00114000 00:1c 337406                     /usr/bin/bash
  55f1987d7000-55f1987e0000 rw-p 00118000 00:1c 337406                     /usr/bin/bash
  55f1987e0000-55f1987ea000 rw-p 00000000 00:00 0 
  55f19a673000-55f19b057000 rw-p 00000000 00:00 0                          [heap]
  7f29171e9000-7f29171ec000 r--p 00000000 00:1c 811498                     /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
  7f29171ec000-7f29171f3000 r-xp 00003000 00:1c 811498                     /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
  7f29171f3000-7f29171f5000 r--p 0000a000 00:1c 811498                     /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
  7f29171f5000-7f29171f6000 r--p 0000b000 00:1c 811498                     /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
  7f29171f6000-7f29171f7000 rw-p 0000c000 00:1c 811498                     /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so (deleted)
  7f29171f7000-7f29171fd000 rw-p 00000000 00:00 0 
  7f2917210000-7f2917553000 r--p 00000000 00:1c 813840                     /usr/lib/locale/locale-archive (deleted)
  7f2917553000-7f2917556000 rw-p 00000000 00:00 0 
  7f2917556000-7f291757b000 r--p 00000000 00:1c 811482                     /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
  7f291757b000-7f29176f3000 r-xp 00025000 00:1c 811482                     /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
  7f29176f3000-7f291773d000 r--p 0019d000 00:1c 811482                     /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
  7f291773d000-7f291773e000 ---p 001e7000 00:1c 811482                     /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
  7f291773e000-7f2917741000 r--p 001e7000 00:1c 811482                     /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
  7f2917741000-7f2917744000 rw-p 001ea000 00:1c 811482                     /usr/lib/x86_64-linux-gnu/libc-2.31.so (deleted)
  7f2917744000-7f2917748000 rw-p 00000000 00:00 0 
  7f2917748000-7f2917749000 r--p 00000000 00:1c 811484                     /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
  7f2917749000-7f291774b000 r-xp 00001000 00:1c 811484                     /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
  7f291774b000-7f291774c000 r--p 00003000 00:1c 811484                     /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
  7f291774c000-7f291774d000 r--p 00003000 00:1c 811484                     /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
  7f291774d000-7f291774e000 rw-p 00004000 00:1c 811484                     /usr/lib/x86_64-linux-gnu/libdl-2.31.so (deleted)
  7f291774e000-7f291775c000 r--p 00000000 00:1c 659440                     /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
  7f291775c000-7f291776b000 r-xp 0000e000 00:1c 659440                     /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
  7f291776b000-7f2917779000 r--p 0001d000 00:1c 659440                     /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
  7f2917779000-7f291777d000 r--p 0002a000 00:1c 659440                     /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
  7f291777d000-7f291777e000 rw-p 0002e000 00:1c 659440                     /usr/lib/x86_64-linux-gnu/libtinfo.so.6.2
  7f291777e000-7f2917780000 rw-p 00000000 00:00 0 
  7f291778c000-7f2917793000 r--s 00000000 00:1c 813296                     /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache (deleted)
  7f2917793000-7f2917794000 r--p 00000000 00:1c 811474                     /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
  7f2917794000-7f29177b7000 r-xp 00001000 00:1c 811474                     /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
  7f29177b7000-7f29177bf000 r--p 00024000 00:1c 811474                     /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
  7f29177c0000-7f29177c1000 r--p 0002c000 00:1c 811474                     /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
  7f29177c1000-7f29177c2000 rw-p 0002d000 00:1c 811474                     /usr/lib/x86_64-linux-gnu/ld-2.31.so (deleted)
  7f29177c2000-7f29177c3000 rw-p 00000000 00:00 0 
  7ffd864bb000-7ffd864dc000 rw-p 00000000 00:00 0                          [stack]
  7ffd865b4000-7ffd865b7000 r--p 00000000 00:00 0                          [vvar]
  7ffd865b7000-7ffd865b8000 r-xp 00000000 00:00 0                          [vdso]
  ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0                  [vsyscall]
  $ 

  Thanks

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libc6 2.31-0ubuntu9.3
  ProcVersionSignature: Ubuntu 5.4.0-71.79-generic 5.4.101
  Uname: Linux 5.4.0-71-generic x86_64
  NonfreeKernelModules: lkp_Ubuntu_5_4_0_71_79_generic_76 zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu27.16
  Architecture: amd64
  CasperMD5CheckResult: skip
  Date: Tue Apr 27 23:30:08 2021
  ProcEnviron:
   TERM=rxvt-unicode-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: glibc
  UpgradeStatus: Upgraded to focal on 2020-01-24 (459 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1926379/+subscriptions