[SECURITY] Buffer overflow in libgtop2
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | libgtop |
Fix Released
|
High
|
||
| | libgtop2 (Ubuntu) |
High
|
Martin Pitt | ||
| | Breezy |
Undecided
|
Martin Pitt | ||
| | Dapper |
Undecided
|
Martin Pitt | ||
| | Edgy |
High
|
Martin Pitt | ||
Bug Description
Binary package hint: libgtop2-7
Reproducible in edgy and feisty.
$ export filename=
$ cp /bin/sleep $filename
$ ./$filename 100 &
$ gnome-system-
*** stack smashing detected ***: gnome-system-
Aborted
| Michael Bienia (geser) wrote : | #1 |
| Qishuai Liu (lqs) wrote : | #2 |
Some filesystems don't support more than 255 chars.
Use this way to reproduce:
$ export dir=$(perl -e " print 's/'x1000;")
$ mkdir -p $dir
$ cp /bin/sleep $dir
$ $dir/sleep 100 &
$ gnome-system-
| Changed in libgtop2: | |
| status: | Unconfirmed → Confirmed |
| Michael Bienia (geser) wrote : | #3 |
Thanks, I could reproduce it now.
Here is a part of the backstrace:
(gdb) bt
#0 0x00002ae5d6d34cab in raise () from /lib/libc.so.6
#1 0x00002ae5d6d36660 in abort () from /lib/libc.so.6
#2 0x00002ae5d6d6c67b in ?? () from /lib/libc.so.6
#3 0x00002ae5d6de86ef in __stack_chk_fail () from /lib/libc.so.6
#4 0x00002ae5d29997e6 in glibtop_
from /usr/lib/
| Michael Bienia (geser) wrote : | #4 |
Here is the output for frame 4 with debug symbols:
(gdb) frame 4
#4 0x00002b24888ee7e6 in glibtop_
at procmap.c:229
229 }
(gdb) list
224 buf->number = entry_list->len;
225 buf->size = sizeof (glibtop_
226 buf->total = buf->number * buf->size;
227
228 return (glibtop_
229 }
| Michael Bienia (geser) wrote : | #5 |
Here is an analysis of the problem:
The problematic code is in sysdeps/
155 char line[1024];
[...]
164 char filename [GLIBTOP_
165
166 glibtop_map_entry *entry;
167
168 if (!fgets(line, sizeof line, maps))
169 break;
170
171 /* 8 arguments */
172 rv = sscanf(line, PROC_MAPS_FORMAT,
173 &start, &end, flags, &offset,
174 &dev_major, &dev_minor, &inode, filename);
GLIBTOP_
PROC_MAPS_FORMAT is defined as "%16llx-%16llx %4c %16llx %02hx:%02hx %llu%*[ ]%[^\n]\n"
maps is /proc/<pid>/smaps and the first line looks in this case like
00400000-00404000 r-xp 00000000 08:07 1849138 /home/michael/
After the sscanf 'filename' contains the filename which is much longer than the char array and overflows into the stack.
| Michael Bienia (geser) wrote : | #6 |
The gnome bugzilla has already a patch for it:
http://
| Changed in libgtop2: | |
| importance: | Undecided → Medium |
| Changed in libgtop: | |
| status: | Unknown → Fix Released |
| Martin Pitt (pitti) wrote : | #7 |
Requires urgent fix in Dapper and Breezy. Not exploitable in Edgy and Feisty due to SSP, but I'll fix it in Feisty anyway.
| Changed in libgtop2: | |
| assignee: | nobody → pitti |
| importance: | Medium → High |
| status: | Confirmed → In Progress |
| Changed in libgtop2: | |
| assignee: | nobody → pitti |
| importance: | Undecided → High |
| status: | Unconfirmed → In Progress |
| Martin Pitt (pitti) wrote : | #8 |
libgtop2 (2.14.5-0ubuntu2) feisty; urgency=low
.
* SECURITY UPDATE: Local arbitrary code execution.
* Add debian/
- Fix overflow in glibtop_
entries (user triggerable by creating a process with a large cwd
string).
- Patch taken from upstream CVS.
- Closes: LP#79206
| Changed in libgtop2: | |
| status: | In Progress → Fix Released |
| Martin Pitt (pitti) wrote : | #9 |
Fixed stables in USN-407-1.
| Changed in libgtop2: | |
| status: | In Progress → Fix Released |
| assignee: | nobody → pitti |
| status: | Unconfirmed → Fix Released |
| assignee: | nobody → pitti |
| status: | Unconfirmed → Fix Released |
| Changed in libgtop: | |
| importance: | Unknown → High |
I can't reproduce it on current feisty on AMD64:
$ export filename=$(perl -e " print 's'x1000;")
$ cp /bin/sleep $filename
cp: accessing `ssssssssssssss
The cp only succeeds if filename is at most 255 chars long but then g-s-m doesn't crash.