| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Oct 2011 09:50:52 -0700
From: Stephen Hemminger <shemminger@...tta.com>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: Bin Li <libin.charles@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH] iproute2: Conforming to -D_FORTIFY_SOURCE=2
restrictions
On Wed, 19 Oct 2011 13:30:51 +0200
Eric Dumazet <eric.dumazet@...il.com> wrote:
> Le mercredi 19 octobre 2011 à 17:15 +0800, Bin Li a écrit :
> > Stephen,
> >
> > You can reproduce this issue in 2.6.37 like below. And the previous
> > gdb log is after the install the debuginfo package in SUSE.
> >
> > # ip -6 xfrm state add src 3ffe:501:ffff:ff03:21a:64ff:fe12:e4c1 dst
> > 3ffe:501:ffff:ff05:200:ff:fe00:c1c1 proto ah spi 0x1000 mode transport
> > auth md5 "TAHITEST89ABCDEF"
> >
> > *** buffer overflow detected ***: ip terminated
> > ======= Backtrace: =========
> > /lib/libc.so.6(__fortify_fail+0x40)[0xb76d0070]
> > /lib/libc.so.6(+0xe8e27)[0xb76cde27]
> > /lib/libc.so.6(+0xe8317)[0xb76cd317]
> > ip[0x806d6c4]
> > ip(do_xfrm_state+0x120)[0x806dc70]
> > ip(do_xfrm+0x81)[0x806ad51]
> > ip[0x804c355]
> > ip(main+0x476)[0x804caa6]
> > /lib/libc.so.6(__libc_start_main+0xfe)[0xb75fbc2e]
> > ip[0x804c261]
> > ======= Memory map: ========
> > 08048000-08087000 r-xp 00000000 08:01 4465 /sbin/ip
> > 08087000-08088000 r--p 0003e000 08:01 4465 /sbin/ip
> > 08088000-0808a000 rw-p 0003f000 08:01 4465 /sbin/ip
> > 0808a000-080ad000 rw-p 00000000 00:00 0 [heap]
> > b75c6000-b75e2000 r-xp 00000000 08:01 131084 /lib/libgcc_s.so.1
> > b75e2000-b75e3000 r--p 0001b000 08:01 131084 /lib/libgcc_s.so.1
> > b75e3000-b75e4000 rw-p 0001c000 08:01 131084 /lib/libgcc_s.so.1
> > b75e4000-b75e5000 rw-p 00000000 00:00 0
> > b75e5000-b774b000 r-xp 00000000 08:01 131375 /lib/libc-2.11.3.so
> > b774b000-b774c000 ---p 00166000 08:01 131375 /lib/libc-2.11.3.so
> > b774c000-b774e000 r--p 00166000 08:01 131375 /lib/libc-2.11.3.so
> > b774e000-b774f000 rw-p 00168000 08:01 131375 /lib/libc-2.11.3.so
> > b774f000-b7752000 rw-p 00000000 00:00 0
> > b7752000-b7755000 r-xp 00000000 08:01 131428 /lib/libdl-2.11.3.so
> > b7755000-b7756000 r--p 00002000 08:01 131428 /lib/libdl-2.11.3.so
> > b7756000-b7757000 rw-p 00003000 08:01 131428 /lib/libdl-2.11.3.so
> > b7774000-b7775000 rw-p 00000000 00:00 0
> > b7775000-b7794000 r-xp 00000000 08:01 154467 /lib/ld-2.11.3.so
> > b7794000-b7795000 r--p 0001e000 08:01 154467 /lib/ld-2.11.3.so
> > b7795000-b7796000 rw-p 0001f000 08:01 154467 /lib/ld-2.11.3.so
> > bfa02000-bfa23000 rw-p 00000000 00:00 0 [stack]
> > ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
> > Aborted
> >
> > And If without -D_FORTIFY_SOURCE=2 in gcc, it works fine, so It's a
> > bug in iproute2 which is not conforming to -D_FORTIFY_SOURCE=2
> > restrictions.
> >
>
> FORTIFY assumes we cant copy a string on alg.u.alg.alg_key !
>
> This completely precludes 0-sized arrays
>
> struct xfrm_algo {
> char alg_name[64];
> unsigned int alg_key_len; /* in bits */
> char alg_key[0];
> };
>
> struct {
> union {
> struct xfrm_algo alg;
> struct xfrm_algo_aead aead;
> struct xfrm_algo_auth auth;
> } u;
> char buf[XFRM_ALGO_KEY_BUF_SIZE];
> } alg = {};
>
> I would say its a FORTIFY bug. This kind of construct is perfectly
> valid.
Maybe it will handle flexible style arrays.
See also:
http://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
At this time, I won't accept the patch that uses alloca() just to deal
with this FORTIFY bug.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists