[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
Just confirmed on precise 12.04 root@testing:/home/ubuntu# cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION=Ubuntu 12.04.2 LTS root@testing:/home/ubuntu# dpkg -l | grep liblockfile ii liblockfile-bin 1.09-3 support binaries for and cli utilities based on liblockfile ii liblockfile11.09-3 NFS-safe locking library root@testing:/home/ubuntu# echo $BASHPID 1012680 root@testing:/home/ubuntu# lockfile-create /tmp/lockfile --use-pid *** buffer overflow detected ***: lockfile-create terminated === Backtrace: = /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f14c2723817] /lib/x86_64-linux-gnu/libc.so.6(+0x109710)[0x7f14c2722710] /lib/x86_64-linux-gnu/libc.so.6(+0x108b79)[0x7f14c2721b79] /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7f14c269513d] /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7f14c26634a7] /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7f14c2721c14] /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f14c2721b5d] /usr/lib/x86_64-linux-gnu/liblockfile.so.1(+0x1b26)[0x7f14c29d9b26] /usr/lib/x86_64-linux-gnu/liblockfile.so.1(lockfile_create+0x61)[0x7f14c29d9dd1] lockfile-create[0x400f21] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7f14c263a76d] lockfile-create[0x4012c5] === Memory map: 0040-00402000 r-xp fd:01 4401 /usr/bin/lockfile-create 00602000-00603000 r--p 2000 fd:01 4401 /usr/bin/lockfile-create 00603000-00604000 rw-p 3000 fd:01 4401 /usr/bin/lockfile-create 0201a000-0203b000 rw-p 00:00 0 [heap] 7f14c2403000-7f14c2418000 r-xp fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f14c2418000-7f14c2617000 ---p 00015000 fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f14c2617000-7f14c2618000 r--p 00014000 fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f14c2618000-7f14c2619000 rw-p 00015000 fd:01 2995 /lib/x86_64-linux-gnu/libgcc_s.so.1 7f14c2619000-7f14c27ce000 r-xp fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so 7f14c27ce000-7f14c29cd000 ---p 001b5000 fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so 7f14c29cd000-7f14c29d1000 r--p 001b4000 fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so 7f14c29d1000-7f14c29d3000 rw-p 001b8000 fd:01 3071 /lib/x86_64-linux-gnu/libc-2.15.so 7f14c29d3000-7f14c29d8000 rw-p 00:00 0 7f14c29d8000-7f14c29db000 r-xp fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0 7f14c29db000-7f14c2bda000 ---p 3000 fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0 7f14c2bda000-7f14c2bdb000 r--p 2000 fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0 7f14c2bdb000-7f14c2bdc000 rw-p 3000 fd:01 11024 /usr/lib/x86_64-linux-gnu/liblockfile.so.1.0 7f14c2bdc000-7f14c2bfe000 r-xp fd:01 2944 /lib/x86_64-linux-gnu/ld-2.15.so 7f14c2df4000-7f14c2df7000 rw-p 00:00 0 7f14c2dfb000-7f14c2dfe000 rw-p 00:00 0 7f14c2dfe000-7f14c2dff000 r--p 00022000 fd:01 2944 /lib/x86_64-linux-gnu/ld-2.15.so 7f14c2dff000-7f14c2e01000 rw-p 00023000 fd:01 2944 /lib/x86_64-linux-gnu/ld-2.15.so 7fff887f1000-7fff88812000 rw-p 00:00 0 [stack] 7fff88917000-7fff88918000 r-xp 00:00 0 [vdso] ff60-ff601000 r-xp 00:00 0 [vsyscall] Aborted (core dumped)liblockfile1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
can't understand how this can get urgency=low if this can acntually prevent systems from getting updates. imho this is should be critical ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
** Branch linked: lp:ubuntu/raring-proposed/liblockfile -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
This bug was fixed in the package liblockfile - 1.09-5ubuntu1 --- liblockfile (1.09-5ubuntu1) raring; urgency=low * debian/patches/fix-buffer-overflows.patch: Fix buffer overflows when building strings - Protect against overflows caused by long hostnames (LP: #941968) - Protect against overflows caused by large PID numbers (LP: #1011477) -- Tyler Hicks tyhi...@canonical.com Wed, 09 Jan 2013 12:23:07 -0800 ** Changed in: liblockfile (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
I've attached a debdiff containing a fix for this bug in bug #941968 ** Description changed: on our system (Ubuntu-Server 10.04) we set sysctl -w kernel.pid_max = 4194304. When the pid counter is high, currently 300, then cron- apt terminates with a buffer overflow message: - root@sn:~# cron-apt + root@sn:~# cron-apt *** buffer overflow detected ***: dotlockfile terminated === Backtrace: = /lib/libc.so.6(__fortify_fail+0x37)[0x7f2ae90547e7] /lib/libc.so.6(+0xfe6a0)[0x7f2ae90536a0] /lib/libc.so.6(+0xfdb09)[0x7f2ae9052b09] /lib/libc.so.6(_IO_default_xsputn+0xcc)[0x7f2ae8fcaf6c] /lib/libc.so.6(_IO_vfprintf+0x670)[0x7f2ae8f9aa10] /lib/libc.so.6(__vsprintf_chk+0x99)[0x7f2ae9052ba9] /lib/libc.so.6(__sprintf_chk+0x7f)[0x7f2ae9052aef] dotlockfile[0x401e6e] dotlockfile[0x40198a] /lib/libc.so.6(__libc_start_main+0xfd)[0x7f2ae8f73c4d] dotlockfile[0x4011f9] === Memory map: 0040-00403000 r-xp fb:02 2104182 /usr/bin/dotlockfile 00602000-00603000 r--p 2000 fb:02 2104182 /usr/bin/dotlockfile 00603000-00604000 rw-p 3000 fb:02 2104182 /usr/bin/dotlockfile 01f8-01fa1000 rw-p 00:00 0 [heap] 7f2ae8503000-7f2ae8519000 r-xp fb:02 131128 /lib/libgcc_s.so.1 7f2ae8519000-7f2ae8718000 ---p 00016000 fb:02 131128 /lib/libgcc_s.so.1 7f2ae8718000-7f2ae8719000 r--p 00015000 fb:02 131128 /lib/libgcc_s.so.1 7f2ae8719000-7f2ae871a000 rw-p 00016000 fb:02 131128 /lib/libgcc_s.so.1 7f2ae871a000-7f2ae8726000 r-xp fb:02 147406 /lib/libnss_files-2.11.1.so 7f2ae8726000-7f2ae8925000 ---p c000 fb:02 147406 /lib/libnss_files-2.11.1.so 7f2ae8925000-7f2ae8926000 r--p b000 fb:02 147406 /lib/libnss_files-2.11.1.so 7f2ae8926000-7f2ae8927000 rw-p c000 fb:02 147406 /lib/libnss_files-2.11.1.so 7f2ae8927000-7f2ae8931000 r-xp fb:02 147385 /lib/libnss_nis-2.11.1.so 7f2ae8931000-7f2ae8b3 ---p a000 fb:02 147385 /lib/libnss_nis-2.11.1.so 7f2ae8b3-7f2ae8b31000 r--p 9000 fb:02 147385 /lib/libnss_nis-2.11.1.so 7f2ae8b31000-7f2ae8b32000 rw-p a000 fb:02 147385 /lib/libnss_nis-2.11.1.so 7f2ae8b32000-7f2ae8b49000 r-xp fb:02 147369 /lib/libnsl-2.11.1.so 7f2ae8b49000-7f2ae8d48000 ---p 00017000 fb:02 147369 /lib/libnsl-2.11.1.so 7f2ae8d48000-7f2ae8d49000 r--p 00016000 fb:02 147369 /lib/libnsl-2.11.1.so 7f2ae8d49000-7f2ae8d4a000 rw-p 00017000 fb:02 147369 /lib/libnsl-2.11.1.so - 7f2ae8d4a000-7f2ae8d4c000 rw-p 00:00 0 + 7f2ae8d4a000-7f2ae8d4c000 rw-p 00:00 0 7f2ae8d4c000-7f2ae8d54000 r-xp fb:02 147379 /lib/libnss_compat-2.11.1.so 7f2ae8d54000-7f2ae8f53000 ---p 8000 fb:02 147379 /lib/libnss_compat-2.11.1.so 7f2ae8f53000-7f2ae8f54000 r--p 7000 fb:02 147379 /lib/libnss_compat-2.11.1.so 7f2ae8f54000-7f2ae8f55000 rw-p 8000 fb:02 147379 /lib/libnss_compat-2.11.1.so 7f2ae8f55000-7f2ae90cf000 r-xp fb:02 147402 /lib/libc-2.11.1.so 7f2ae90cf000-7f2ae92ce000 ---p 0017a000 fb:02 147402 /lib/libc-2.11.1.so 7f2ae92ce000-7f2ae92d2000 r--p 00179000 fb:02 147402 /lib/libc-2.11.1.so 7f2ae92d2000-7f2ae92d3000 rw-p 0017d000 fb:02 147402 /lib/libc-2.11.1.so - 7f2ae92d3000-7f2ae92d8000 rw-p 00:00 0 + 7f2ae92d3000-7f2ae92d8000 rw-p 00:00 0 7f2ae92d8000-7f2ae92f8000 r-xp fb:02 147370 /lib/ld-2.11.1.so - 7f2ae94eb000-7f2ae94ee000 rw-p 00:00 0 - 7f2ae94f5000-7f2ae94f7000 rw-p 00:00 0 + 7f2ae94eb000-7f2ae94ee000 rw-p 00:00 0 + 7f2ae94f5000-7f2ae94f7000 rw-p 00:00 0 7f2ae94f7000-7f2ae94f8000 r--p 0001f000 fb:02 147370 /lib/ld-2.11.1.so 7f2ae94f8000-7f2ae94f9000 rw-p 0002 fb:02 147370 /lib/ld-2.11.1.so - 7f2ae94f9000-7f2ae94fa000 rw-p 00:00 0 + 7f2ae94f9000-7f2ae94fa000 rw-p 00:00 0 7fff43082000-7fff430a3000 rw-p 00:00 0 [stack] 7fff431ff000-7fff4320 r-xp 00:00 0 [vdso] ff60-ff601000 r-xp 00:00 0 [vsyscall] Aborted root@sn:~# uname -a Linux sn 2.6.35-32-server #68~lucid1-Ubuntu SMP Wed Mar 28 18:33:00 UTC 2012 x86_64 GNU/Linux root@sn:~# ps - PID TTY TIME CMD + PID TTY TIME CMD 3722057 pts/500:00:00
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
** Changed in: liblockfile (Ubuntu) Importance: Undecided = Medium ** Changed in: liblockfile (Ubuntu) Assignee: (unassigned) = Tyler Hicks (tyhicks) ** Changed in: liblockfile (Ubuntu) Status: New = In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
** Attachment added: strace -f of the cron-apt call https://bugs.launchpad.net/bugs/1011477/+attachment/3184606/+files/cron-apt.strace-f -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron-apt/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
** Package changed: cron-apt (Ubuntu) = liblockfile (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
the following patch on liblockfile's lockfile.c fixes the issue: --- a/lockfile.c +++ b/lockfile.c @@ -175,7 +175,7 @@ int lockfile_create(const char *lockfile, int retries, int flags) struct stat st, st1; char*tmplock; charsysname[256]; - charbuf[8]; + charbuf[sizeof(-18446744073709551616)+2]; char*p; int sleeptime = 0; int statfailed = 0; the fix was done by Stefan Metzmacher. you should also have a look at this part of the code which looks like it can cause problems, too: if ((tmplock = (char *)malloc(strlen(lockfile)+32+1)) == NULL) return L_ERROR; strcpy(tmplock, lockfile); if ((p = strrchr(tmplock, '/')) == NULL) p = tmplock; else p++; sprintf(p, .lk%05d%x%s, (int)getpid(), (int)time(NULL) 15, sysname); -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1011477] Re: cron-apt buffer overflow with high pid numbers
The question is where does the magic '32' comes from. sizeof(sysname) is 256... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011477 Title: cron-apt buffer overflow with high pid numbers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/liblockfile/+bug/1011477/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs