lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 17 Oct 2011 15:35:35 +0800
From:	Bin Li <libin.charles@...il.com>
To:	netdev@...r.kernel.org
Subject: [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2 restrictions

Hi,

The issue is from below link.

https://bugzilla.novell.com/show_bug.cgi?id=719537

The issue is debug at below.

(gdb) bt
#0  0x00007ffff7697945 in raise (sig=<optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff7698f21 in abort () at abort.c:92
#2  0x00007ffff76d48ef in __libc_message (do_abort=2,
    fmt=0x7ffff7789541 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:186
#3  0x00007ffff7750177 in __fortify_fail (
    msg=0x7ffff77894d8 "buffer overflow detected") at fortify_fail.c:32
#4  0x00007ffff774de10 in __chk_fail () at chk_fail.c:29
#5  0x00007ffff774cf8d in __strncpy_chk (
    s1=0x640c <Address 0x640c out of bounds>,
    s2=0x640c <Address 0x640c out of bounds>, n=6, s1len=18446744073709551615)
    at strncpy_chk.c:34
#6  0x000000000041e9c8 in strncpy (__len=<optimized out>,
    __src=<optimized out>, __dest=<optimized out>)
    at /usr/include/bits/string3.h:123
#7  xfrm_algo_parse (max=<optimized out>, buf=<optimized out>,
    key=<optimized out>, name=<optimized out>, type=<optimized out>,
    alg=<optimized out>) at xfrm_state.c:166

(gdb) l
161                     len = slen;
162                     if (len > 0) {
163                             if (len > max)
164                                     invarg("\"ALGOKEY\" makes buffer
overflow\n", key);
165
166                             strncpy(buf, key, len);
167                     }
168             }
169
170             alg->alg_key_len = len * 8;
(gdb) up
#8  xfrm_state_modify (cmd=<optimized out>, flags=<optimized out>, argc=1,
    argv=0x7fffffffe370) at xfrm_state.c:406
406                                     xfrm_algo_parse((void *)&alg, type,
name, key,

the compiler passes zero to __builtin___strncpy_chk as the buffer size.
xfrm_algo_parse is inlined into xfrm_state_modify.


Thanks!

Sincerely Yours,

Bin Li

http://zh.opensuse.org

View attachment "iproute2-FORTIFY_SOURCE.patch" of type "text/x-patch" (2234 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ