| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Feb 2023 03:14:10 +0000
From: Sam James <sam@...too.org>
To: netdev@...r.kernel.org
Cc: Stephen Hemminger <stephen@...workplumber.org>,
Frederik Schwan <freswa@...hlinux.org>,
Doug Freed <dwfreed@....edu>,
Gentoo Toolchain <toolchain@...too.org>
Subject: Iproute2 crashes with glibc-2.37, caused by UB in print_route
(overlapping strncpy arguments)
Hi,
[Apologies if this isn't the right venue for a bug report in the iproute2 userland tool.]
(Resending to right address...)
This was originally reported to the glibc folks at https://sourceware.org/bugzilla/show_bug.cgi?id=30112.
With glibc-2.37, ip -6 route gives invalid output as follows:
```
$ ip route add dev eth0 fd8d:4d6d:3ccb:500:c79:2339:edce:ece1 proto static
$ ip -6 route
```
With:
"""
bad output:
fd8d:4d6d:3ccb:500:c79:2339:edc dev eth0 proto static metric 1024 pref medium
good output:
fd8d:4d6d:3ccb:500:c79:2339:edce:ece1 dev eth0 proto static metric 1024 pref medium
"""
But it looks like iproute's code is suspicious here, as it calls strncpy with overlapping
source & destination. It appears to have worked by chance until now.
iproute2 should use a different buffer in the call to format_host_rta_r, so that
b1 and hostname stop overlapping.
Thanks to freswa@...hlinux.org <mailto:freswa@...hlinux.org> for reporting this initially on the glibc bug tracker and
finding the reproducer and Doug Freed (dwfreed) after I threw the ASAN output at him.
This output is from glibc-2.36, but I got the same w/ glibc-2.37:
```
$ valgrind ip -6 route
==122592== Memcheck, a memory error detector
==122592== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==122592== Using Valgrind-3.20.0 and LibVEX; rerun with -h for copyright info
==122592== Command: ip -6 route
==122592==
==122592== Source and destination overlap in strncpy(0x1ffefff283, 0x1ffefff283, 63)
==122592== at 0x48493DA: strncpy (vg_replace_strmem.c:604)
==122592== by 0x1200EC: strncpy (string_fortified.h:95)
==122592== by 0x1200EC: print_route (iproute.c:819)
==122592== by 0x17C3C5: rtnl_dump_filter_l (libnetlink.c:925)
==122592== by 0x17D8FF: rtnl_dump_filter_errhndlr_nc (libnetlink.c:987)
==122592== by 0x11E3D3: iproute_list_flush_or_save (iproute.c:1981)
==122592== by 0x113C54: do_cmd (ip.c:137)
==122592== by 0x1136F8: main (ip.c:327)
==122592==
::1 dev lo proto kernel metric 256 pref medium
[my network bits here]
==122592==
==122592== HEAP SUMMARY:
==122592== in use at exit: 206 bytes in 3 blocks
==122592== total heap usage: 10 allocs, 7 frees, 165,174 bytes allocated
==122592==
==122592== LEAK SUMMARY:
==122592== definitely lost: 0 bytes in 0 blocks
==122592== indirectly lost: 0 bytes in 0 blocks
==122592== possibly lost: 0 bytes in 0 blocks
==122592== still reachable: 206 bytes in 3 blocks
==122592== suppressed: 0 bytes in 0 blocks
==122592== Rerun with --leak-check=full to see details of leaked memory
==122592==
==122592== For lists of detected and suppressed errors, rerun with: -s
==122592== ERROR SUMMARY: 3 errors from 1 contexts (suppressed: 0 from 0)
```
And from ASAN:
```
=================================================================
==108934==ERROR: AddressSanitizer: strncpy-param-overlap: memory ranges [0x7f3651200380,0x7f3651200384) and [0x7f3651200380, 0x7f3651200384) overlap
#0 0x7f36533fe03c in __interceptor_strncpy /usr/src/debug/sys-devel/gcc-13.0.1_pre20230212/gcc-13-20230212/libsanitizer/asan/asan_interceptors.cpp:483
#1 0x5616e76ac5b2 in strncpy /usr/include/bits/string_fortified.h:95
#2 0x5616e76ac5b2 in print_route /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/ip/iproute.c:819
#3 0x5616e7784705 in rtnl_dump_filter_l /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/lib/libnetlink.c:925
#4 0x5616e778a598 in rtnl_dump_filter_errhndlr_nc /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/lib/libnetlink.c:987
#5 0x5616e76a8e89 in iproute_list_flush_or_save /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/ip/iproute.c:1981
#6 0x5616e76afcca in do_iproute /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/ip/iproute.c:2358
#7 0x5616e768f3bf in do_cmd /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/ip/ip.c:137
#8 0x5616e768d992 in main /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/ip/ip.c:327
#9 0x7f365318274f (/usr/lib64/libc.so.6+0x2374f)
#10 0x7f3653182808 in __libc_start_main (/usr/lib64/libc.so.6+0x23808)
#11 0x5616e768f244 in _start (/usr/bin/ip+0x11244)
Address 0x7f3651200380 is located in stack of thread T0 at offset 896 in frame
#0 0x5616e76aa38f in print_route /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/ip/iproute.c:746
This frame has 4 object(s):
[48, 192) 'mxrta' (line 599)
[256, 504) 'tb' (line 750)
[576, 824) 'tb' (line 680)
[896, 960) 'b1' (line 755) <== Memory access at offset 896 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Address 0x7f3651200380 is located in stack of thread T0 at offset 896 in frame
#0 0x5616e76aa38f in print_route /usr/src/debug/sys-apps/iproute2-6.1.0/iproute2-6.1.0/ip/iproute.c:746
This frame has 4 object(s):
[48, 192) 'mxrta' (line 599)
[256, 504) 'tb' (line 750)
[576, 824) 'tb' (line 680)
[896, 960) 'b1' (line 755) <== Memory access at offset 896 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: strncpy-param-overlap /usr/src/debug/sys-devel/gcc-13.0.1_pre20230212/gcc-13-20230212/libsanitizer/asan/asan_interceptors.cpp:483 in __interceptor_strncpy
==108934==ABORTING
```
best,
sam
Download attachment "signature.asc" of type "application/pgp-signature" (359 bytes)
Powered by blists - more mailing lists