Ubuntu
netkit-tftp package

tftp assert failure: *** buffer overflow detected ***: tftp terminated

Bug #672325 reported by Carl Karsten
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
netkit-tftp (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

apt-get install tftp

juser@dhcp232:~$ tftp
tftp> get shaz:pxelinux.cfg/default

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: tftp 0.17-18ubuntu1
ProcVersionSignature: Ubuntu 2.6.37-2.10-generic 2.6.37-rc1
Uname: Linux 2.6.37-2-generic x86_64
Architecture: amd64
AssertionMessage: *** buffer overflow detected ***: tftp terminated
Date: Sun Nov 7 16:23:19 2010
ExecutablePath: /usr/bin/tftp
ProcCmdline: tftp shaz
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=en_US
Signal: 6
SourcePackage: netkit-tftp
StacktraceTop:
 raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
 abort () at abort.c:92
 __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
 __fortify_fail (msg=0x7f06767e1210 "buffer overflow detected") at fortify_fail.c:32
 __chk_fail () at chk_fail.c:29
Title: tftp assert failure: *** buffer overflow detected ***: tftp terminated
UserGroups: adm admin audio cdrom dialout lpadmin plugdev video

Revision history for this message
Carl Karsten (carlfk) wrote :
Carl Karsten (carlfk)
visibility: private → public
Revision history for this message
Kees Cook (kees) wrote :

LANG=C readelf -sW tftp | grep _chk
     3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __longjmp_chk@GLIBC_2.11 (3)
     5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __fprintf_chk@GLIBC_2.3.4 (4)
    10: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __printf_chk@GLIBC_2.3.4 (4)
    15: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __memcpy_chk@GLIBC_2.3.4 (4)
    27: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __strcpy_chk@GLIBC_2.3.4 (4)
    32: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@GLIBC_2.4 (6)

buffer overflow likely came from memcpy or strcpy:

$ grep memcpy *
main.c: memcpy(&s_inn, ai->ai_addr, ai->ai_addrlen);
main.c: memcpy(&s_inn, ai->ai_addr, ai->ai_addrlen);
main.c: memcpy(&s_inn, ai->ai_addr, ai->ai_addrlen);
tftp.c: memcpy(&from, &s_inn, sizeof(from));
tftp.c: memcpy(&from, &s_inn, sizeof(from));

$ grep strcpy *
main.c: strcpy(mode, "netascii");
main.c: strcpy(line, "Connect ");
main.c: strcpy(mode, newmode);
main.c: strcpy(line, "send ");
main.c: strcpy(ccp, tail(argv[n]));
main.c: strcpy(line, "get ");
main.c: strcpy(line, "Rexmt-timeout ");
main.c: strcpy(line, "Maximum-timeout ");
tftp.c: strcpy(cp, name);
tftp.c: strcpy(cp, mode);
tftp.c: strcpy(tp->th_msg, pe->e_msg);

Revision history for this message
Kees Cook (kees) wrote :

   0x4013bc <makerequest+44>: callq 0x401118 <__strcpy_chk@plt>

Revision history for this message
Carl Karsten (carlfk) wrote :
Download full text (6.8 KiB)

(gdb) run
Starting program: /usr/bin/tftp
tftp> shaz:pxelinux.cfg/default
?Invalid command
tftp> get shaz:pxelinux.cfg/default
*** buffer overflow detected ***: /usr/bin/tftp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7ffff7b58527]
/lib/libc.so.6(+0xfe3e0)[0x7ffff7b573e0]
/usr/bin/tftp[0x4013c1]
/usr/bin/tftp[0x401fad]
/usr/bin/tftp[0x402d61]
/usr/bin/tftp[0x4027ba]
/usr/bin/tftp[0x4035bf]
/lib/libc.so.6(__libc_start_main+0xfe)[0x7ffff7a77d8e]
/usr/bin/tftp[0x4012a9]
======= Memory map: ========
00400000-00405000 r-xp 00000000 08:01 9063097 /usr/bin/tftp
00604000-00605000 r--p 00004000 08:01 9063097 /usr/bin/tftp
00605000-00606000 rw-p 00005000 08:01 9063097 /usr/bin/tftp
00606000-00628000 rw-p 00000000 00:00 0 [heap]
7ffff7014000-7ffff7029000 r-xp 00000000 08:01 4587594 /lib/libgcc_s.so.1
7ffff7029000-7ffff7228000 ---p 00015000 08:01 4587594 /lib/libgcc_s.so.1
7ffff7228000-7ffff7229000 r--p 00014000 08:01 4587594 /lib/libgcc_s.so.1
7ffff7229000-7ffff722a000 rw-p 00015000 08:01 4587594 /lib/libgcc_s.so.1
7ffff722a000-7ffff7240000 r-xp 00000000 08:01 4587559 /lib/libresolv-2.12.1.so
7ffff7240000-7ffff743f000 ---p 00016000 08:01 4587559 /lib/libresolv-2.12.1.so
7ffff743f000-7ffff7440000 r--p 00015000 08:01 4587559 /lib/libresolv-2.12.1.so
7ffff7440000-7ffff7441000 rw-p 00016000 08:01 4587559 /lib/libresolv-2.12.1.so
7ffff7441000-7ffff7443000 rw-p 00000000 00:00 0
7ffff7443000-7ffff7448000 r-xp 00000000 08:01 4587552 /lib/libnss_dns-2.12.1.so
7ffff7448000-7ffff7647000 ---p 00005000 08:01 4587552 /lib/libnss_dns-2.12.1.so
7ffff7647000-7ffff7648000 r--p 00004000 08:01 4587552 /lib/libnss_dns-2.12.1.so
7ffff7648000-7ffff7649000 rw-p 00005000 08:01 4587552 /lib/libnss_dns-2.12.1.so
7ffff7649000-7ffff764b000 r-xp 00000000 08:01 4591393 /lib/libnss_mdns4_minimal.so.2
7ffff764b000-7ffff784a000 ---p 00002000 08:01 4591393 /lib/libnss_mdns4_minimal.so.2
7ffff784a000-7ffff784b000 r--p 00001000 08:01 4591393 /lib/libnss_mdns4_minimal.so.2
7ffff784b000-7ffff784c000 rw-p 00002000 08:01 4591393 /lib/libnss_mdns4_minimal.so.2
7ffff784c000-7ffff7858000 r-xp 00000000 08:01 4587553 /lib/libnss_files-2.12.1.so
7ffff7858000-7ffff7a57000 ---p 0000c000 08:01 4587553 /lib/libnss_files-2.12.1.so
7ffff7a57000-7ffff7a58000 r--p 0000b000 08:01 4587553 /lib/libnss_files-2.12.1.so
7ffff7a58000-7ffff7a59000 rw-p 0000c000 08:01 4587553 /lib/libnss_files-2.12.1.so
7ffff7a59000-7ffff7bd3000 r-xp 00000000 08:01 4587540 /lib/libc-2.12.1.so
7ffff7bd3000-7ffff7dd2000 ---p 0017a000 08:01 4587540 /lib/libc-2.12.1.so
7ffff7dd2000-7ffff7dd6000 r--p 00179000 08:01 4587540 /lib/libc-2.12.1.so
7ffff7dd6000-7ffff7d...

Read more...

Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 *__GI_raise (sig=<value optimized out>)
 *__GI_abort () at abort.c:92
 __libc_message (do_abort=<value optimized out>,
 *__GI___fortify_fail (
 ?? () from /lib/libc.so.6

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote :

StacktraceTop:
 *__GI_raise (sig=<value optimized out>)
 *__GI_abort () at abort.c:92
 __libc_message (do_abort=<value optimized out>,
 *__GI___fortify_fail (
 ?? () from /lib/libc.so.6

Revision history for this message
Apport retracing service (apport) wrote : Stacktrace.txt
Revision history for this message
Apport retracing service (apport) wrote : ThreadStacktrace.txt
Changed in netkit-tftp (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Revision history for this message
Carl Karsten (carlfk) wrote :

appears to be fixed.

(veyepar)juser@dhcp42:~$ tftp
tftp> get shaz:pxelinux.cfg/default
Received 12354 bytes in 0.0 seconds

tftp> (veyepar)juser@dhcp42:~$ uname -a
Linux dhcp42 2.6.37-10-generic #24-Ubuntu SMP Thu Dec 16 17:52:40 UTC 2010 i686 GNU/Linux

Carl Karsten (carlfk)
Changed in netkit-tftp (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.