Hello, I guess #921959 describes also the same problem. Attached patch tries to workaround that issue by not using the the original buf pointer increased by the offset of member th_msg.
That way at least the warning "overflows the destination" is not written anymore at build time and a package built with it could deliver the error message to the client. The disassembly shows still a call to __strcpy_chk, but now with "mov $0x200,%edx" instead of a "xor %edx,%edx" like before. Kind regards, Bernhard
# Buster/stable amd64 qemu VM 2019-08-26 apt update apt dist-upgrade apt install systemd-coredump mc psmisc net-tools strace gdb tftp tftpd tftpd-dbgsym apt build-dep tftpd mkdir /home/benutzer/source/tftpd/orig -p cd /home/benutzer/source/tftpd/orig apt source tftpd cd # tftp localhost --> does not trigger a crash tftp 10.0.2.15 get test ########### benutzer@debian:~$ tftp localhost tftp> get test Transfer timed out. tftp> # nothing in 'coredumpctl list' or 'dmesg' ########### enutzer@debian:~$ tftp 10.0.2.15 tftp> get test Transfer timed out. tftp> root@debian:~# coredumpctl list TIME PID UID GID SIG COREFILE EXE ... Mon 2019-08-26 22:53:56 CEST 2558 65534 65534 6 present /usr/sbin/in.tftpd root@debian:~# coredumpctl gdb 2558 PID: 2558 (in.tftpd) UID: 65534 (nobody) GID: 65534 (nogroup) Signal: 6 (ABRT) Timestamp: Mon 2019-08-26 22:53:56 CEST (5min ago) Command Line: in.tftpd /srv/tftp Executable: /usr/sbin/in.tftpd Control Group: /system.slice/inetd.service Unit: inetd.service Slice: system.slice Boot ID: 90010229fa5c4bad91f686460281c7bd Machine ID: 33f18f39d2a9438eb75b0ed52848afcd Hostname: debian Storage: /var/lib/systemd/coredump/core.in\x2etftpd.65534.90010229fa5c4bad91f686460281c7bd.2558.1566852836000000.lz4 Message: Process 2558 (in.tftpd) of user 65534 dumped core. Stack trace of thread 2558: #0 0x00007f1c5997a7bb __GI_raise (libc.so.6) #1 0x00007f1c59965535 __GI_abort (libc.so.6) #2 0x00007f1c599bc508 __libc_message (libc.so.6) #3 0x00007f1c59a4d80d __GI___fortify_fail_abort (libc.so.6) #4 0x00007f1c59a4d841 __GI___fortify_fail (libc.so.6) #5 0x00007f1c59a4b940 __GI___chk_fail (libc.so.6) #6 0x00007f1c59a4ad52 __strcpy_chk (libc.so.6) #7 0x0000558db2f4b94f strcpy (in.tftpd) #8 0x0000558db2f4b7a2 tftp (in.tftpd) #9 0x00007f1c5996709b __libc_start_main (libc.so.6) #10 0x0000558db2f4b7fa _start (in.tftpd) GNU gdb (Debian 8.2.1-2) 8.2.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/sbin/in.tftpd...Reading symbols from /usr/lib/debug/.build-id/71/ec94654597b3b11d2d01a17ce776065786a694.debug...done. done. [New LWP 2558] Core was generated by `in.tftpd /srv/tftp'. Program terminated with signal SIGABRT, Aborted. #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden. (gdb) set width 0 (gdb) set pagination off (gdb) directory /home/benutzer/source/tftpd/orig/netkit-tftp-0.17 Source directories searched: /home/benutzer/source/tftpd/orig/netkit-tftp-0.17:$cdir:$cwd (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f1c59965535 in __GI_abort () at abort.c:79 #2 0x00007f1c599bc508 in __libc_message (action=<optimized out>, fmt=fmt@entry=0x7f1c59ac707b "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007f1c59a4d80d in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true, msg=msg@entry=0x7f1c59ac6ff8 "buffer overflow detected") at fortify_fail.c:28 #4 0x00007f1c59a4d841 in __GI___fortify_fail (msg=msg@entry=0x7f1c59ac6ff8 "buffer overflow detected") at fortify_fail.c:44 #5 0x00007f1c59a4b940 in __GI___chk_fail () at chk_fail.c:28 #6 0x00007f1c59a4ad52 in __strcpy_chk (dest=0x558db2f4f724 <buf+4> "st", src=0x558db2f4d0f8 "Access violation", destlen=0) at strcpy_chk.c:30 #7 0x0000558db2f4b94f in strcpy (__src=<optimized out>, __dest=0x558db2f4f724 <buf+4> "st") at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90 #8 nak (error=<optimized out>) at ./tftpd/tftpd.c:624 #9 0x0000558db2f4b7a2 in tftp (tp=<optimized out>, size=<optimized out>) at ./tftpd/tftpd.c:317 #10 main (ac=<optimized out>, av=<optimized out>) at ./tftpd/tftpd.c:255 set width 0 set pagination off directory /home/benutzer/source/tftpd/orig/netkit-tftp-0.17 ######### gdb -q --pid $(pidof /usr/sbin/inetd) \ -ex 'set width 0' \ -ex 'set pagination off' \ -ex 'set follow-fork-mode child' \ -ex 'set follow-exec-mode child' \ -ex 'b writev' \ -ex cont
Description: Workaround FORTIFY_SOURCE in struct tftphdr Bug-Debian: https://bugs.debian.org/935826 Bug-Debian: https://bugs.debian.org/931848 Bug-Debian: https://bugs.debian.org/921959 Last-Update: 2019-08-26 --- netkit-tftp-0.17.orig/tftp/tftp.c +++ netkit-tftp-0.17/tftp/tftp.c @@ -373,7 +373,7 @@ nak(int error) pe->e_msg = strerror(error - 100); tp->th_code = EUNDEF; } - strcpy(tp->th_msg, pe->e_msg); + strcpy(ackbuf + ((char*)tp->th_msg - (char*)tp), pe->e_msg); length = strlen(pe->e_msg) + 4; if (trace) tpacket("sent", tp, length); --- netkit-tftp-0.17.orig/tftpd/tftpd.c +++ netkit-tftp-0.17/tftpd/tftpd.c @@ -621,7 +621,7 @@ nak(int error) pe->e_msg = strerror(error - 100); tp->th_code = EUNDEF; /* set 'undef' errorcode */ } - strcpy(tp->th_msg, pe->e_msg); + strcpy(buf + ((char*)&tp->th_msg - (char*)tp), pe->e_msg); length = strlen(pe->e_msg); tp->th_msg[length] = '\0'; length += 5;