Your message dated Thu, 26 Jan 2006 10:38:27 +0100
with message-id <[EMAIL PROTECTED]>
and subject line This has been removed from the archive
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Feb 2004 07:43:03 +0000
>From [EMAIL PROTECTED] Fri Feb 20 23:43:03 2004
Return-path: <[EMAIL PROTECTED]>
Received: from spock.bluecherry.net [66.138.159.248]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AuRmw-0008Jd-00; Fri, 20 Feb 2004 23:43:02 -0800
Received: from blackhole.home (dsl-208-240-239-12.dsl0.crls.pa.net
[208.240.239.12])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by spock.bluecherry.net (Postfix) with ESMTP
id CD47D7C4; Sat, 21 Feb 2004 01:42:58 -0600 (CST)
Received: from portal.home (portal.home [10.0.0.1])
by blackhole.home (Postfix) with SMTP
id 244101BB5B; Sat, 21 Feb 2004 02:42:49 -0500 (EST)
Received: (nullmailer pid 4760 invoked by uid 1005);
Sat, 21 Feb 2004 07:42:46 -0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ben Winslow <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libc6: non-debug binaries do odd things to the stack
X-Mailer: reportbug 2.47
Date: Sat, 21 Feb 2004 02:42:46 -0500
Message-Id: <[EMAIL PROTECTED]>
X-BadReturnPath: [EMAIL PROTECTED] rewritten as [EMAIL PROTECTED]
using "From" header
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_18
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no
version=2.60-bugs.debian.org_2004_02_18
X-Spam-Level:
Package: libc6
Version: 2.3.2.ds1-11
Severity: important
Tags: security
The non-debug libc6 binaries do strange things to the stack. I haven't
figured out the specifics to this bug, but I have found two ways to
reliably reproduce the problem.
Method 1:
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
printf("aborting...\n");
abort();
}
Resulting stack trace on abort():
#0 0xffffe410 in __kernel_vsyscall ()
#1 0x4005acf3 in raise () from /lib/tls/i686/cmov/libc.so.6
#2 0x4016706c in ?? () from /lib/tls/i686/cmov/libc.so.6
Resulting (expected) stack trace with libc6-dbg:
#0 0x40041571 in kill () from /usr/lib/debug/libc.so.6
#1 0x40041315 in *__GI_raise (sig=6)
at ../linuxthreads/sysdeps/unix/sysv/linux/raise.c:32
#2 0x40042838 in *__GI_abort () at ../sysdeps/generic/abort.c:88
#3 0x080483ae in main (argc=1, argv=0xbffff4b4) at test1.c:8
One other place I encountered the problem was while trying to walk the
stack in an LD_PRELOADed library that wrapped around gettimeofday(). I
used __builtin_frame_address (a gcc internal) to walk backwards through
the stack (the function is supposed to return 0 when the top of the stack
is reached.) The results end with some characters of the program name
(which is stored after the stack) with a non-debug libc.
Method 2:
#include <time.h>
#include <stdio.h>
#include <sys/time.h>
#define STACKFRAME(x) \
printf("%d: %p\n", x, __builtin_frame_address(x)); \
fflush(stdout); \
if (__builtin_frame_address(x) == NULL) \
return 0;
int gettimeofday(struct timeval *tv, struct timezone *tz)
{
if (tv != NULL) {
tv->tv_sec = 946684800;
tv->tv_usec = 0;
}
STACKFRAME(0) STACKFRAME(1) STACKFRAME(2) STACKFRAME(3)
STACKFRAME(4) STACKFRAME(5) STACKFRAME(6) STACKFRAME(7)
STACKFRAME(8) STACKFRAME(9) STACKFRAME(10) STACKFRAME(11)
STACKFRAME(12) STACKFRAME(13) STACKFRAME(14) STACKFRAME(15)
printf("16: [more...]\n");
return 0;
}
Compile this code as a .so, and LD_PRELOAD it before running a program
that uses gettimeofday() (e.g. LD_PRELOAD=./test-gettimeofday.so top)
Resulting output:
0: 0xbfffeef8
1: 0xbfffef68
2: 0xbfffef88
3: 0xbffff0c8
4: 0xbffff358
5: 0xbffff428
6: 0xbffff4b4
7: 0xbffff615
8: 0x706f74
^^^^^^^^ 'top^@' in little endian.
[program crashes at this point]
Resulting (expected) output with libc6-dbg:
0: 0xbfffeef8
1: 0xbfffef68
2: 0xbfffef88
3: 0xbffff0c8
4: 0xbffff358
5: 0xbffff428
6: 0xbffff448
7: (nil)
Unfortunately, I haven't found any other ways to reproduce this with
a short test program.
The libsafe package is affected by this bug, because it relies on a
valid stack in order to determine whether or not a variable is stack or
heap, and the size of that variable should it reside on the stack.
Since libsafe always fails to determine that a variable is on the stack
(and presumes it's on the heap, instead), libsafe is rendered completely
ineffective, which is why I marked this bug with the 'security' tag.
Versions of relevant packages:
ii gcc 3.3.2-2 The GNU C compiler
ii libsafe 2.0-16-6 Protection against buffer overflow vulnerabi
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.3
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8
Versions of packages libc6 depends on:
ii libdb1-compat 2.1.3-7 The Berkeley database routines [gl
-- no debconf information
---------------------------------------
Received: (at 233996-done) by bugs.debian.org; 26 Jan 2006 09:38:29 +0000
>From [EMAIL PROTECTED] Thu Jan 26 01:38:29 2006
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111]
helo=vserver151.vserver151.serverflex.de)
by spohr.debian.org with esmtp (Exim 4.50)
id 1F23aH-000482-IQ; Thu, 26 Jan 2006 01:38:29 -0800
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1F23aF-00069C-Kz; Thu, 26 Jan 2006 10:38:28 +0100
Date: Thu, 26 Jan 2006 10:38:27 +0100
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: This has been removed from the archive
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
libsafe has been removed from sid and Etch, it's not present in Sarge due to
buggyness.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
