Bug#961434: baresip-core: stack smashing detected with evdev module
I am uploading a NMU to experimental in order to fix this. Please consider confirming the transition #1055755 so that it can move to unstable.diff -Nru baresip-1.1.0/debian/changelog baresip-1.1.0/debian/changelog --- baresip-1.1.0/debian/changelog 2023-10-14 16:59:36.0 + +++ baresip-1.1.0/debian/changelog 2024-04-10 20:52:08.0 + @@ -1,3 +1,11 @@ +baresip (1.1.0-0.2) experimental; urgency=medium + + * Non-maintainer upload + * Remove OMX support (see #1065623) + * Fix stack smashing (Closes: #961434) + + -- Bastian Germann Wed, 10 Apr 2024 20:52:08 + + baresip (1.1.0-0.1) experimental; urgency=medium * Non-maintainer upload diff -Nru baresip-1.1.0/debian/control baresip-1.1.0/debian/control --- baresip-1.1.0/debian/control2023-10-14 16:59:36.0 + +++ baresip-1.1.0/debian/control2024-04-10 20:52:03.0 + @@ -22,7 +22,6 @@ libmosquitto-dev, libmp3lame-dev, libmpg123-dev, - libomxil-bellagio-dev, libopenaptx-dev, libopencore-amrnb-dev, libopencore-amrwb-dev, diff -Nru baresip-1.1.0/debian/patches/0002_70a7f45.patch baresip-1.1.0/debian/patches/0002_70a7f45.patch --- baresip-1.1.0/debian/patches/0002_70a7f45.patch 1970-01-01 00:00:00.0 + +++ baresip-1.1.0/debian/patches/0002_70a7f45.patch 2024-04-10 20:52:08.0 + @@ -0,0 +1,39 @@ +Origin: upstream, 70a7f456668426a2b59911a04bf42f93a3b2bec6 +From: Sebastian Reimers +Date: Mon, 16 May 2022 08:19:14 +0200 +Subject: evdev: fix wrong ioctl size (#1843) + +found and fixed by debian: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961434 +--- + modules/evdev/print.c | 8 + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/modules/evdev/print.c b/modules/evdev/print.c +index f04f4af4e..6571c1f8f 100644 +--- a/modules/evdev/print.c b/modules/evdev/print.c +@@ -42,11 +42,11 @@ void print_name(int fd) + */ + void print_events(int fd) + { +- uint8_t evtype_bitmask[EV_MAX/8 + 1]; ++ uint8_t evbitmask[EV_MAX/8 + 1]; + int i; + +- memset(evtype_bitmask, 0, sizeof(evtype_bitmask)); +- if (ioctl(fd, EVIOCGBIT(0, EV_MAX), evtype_bitmask) < 0) { ++ memset(evbitmask, 0, sizeof(evbitmask)); ++ if (ioctl(fd, EVIOCGBIT(0, sizeof(evbitmask)), evbitmask) < 0) { + warning("evdev: ioctl EVIOCGBIT (%m)\n", errno); + return; + } +@@ -54,7 +54,7 @@ void print_events(int fd) + printf("Supported event types:\n"); + + for (i = 0; i < EV_MAX; i++) { +- if (!test_bit(i, evtype_bitmask)) ++ if (!test_bit(i, evbitmask)) + continue; + + printf(" Event type 0x%02x ", i); diff -Nru baresip-1.1.0/debian/patches/series baresip-1.1.0/debian/patches/series --- baresip-1.1.0/debian/patches/series 2023-10-14 16:59:36.0 + +++ baresip-1.1.0/debian/patches/series 2024-04-10 20:52:08.0 + @@ -1,3 +1,4 @@ +0002_70a7f45.patch 1002_system_header_locations.patch 2001_drop_libre_so_check.patch 2002_test_verbose.patch diff -Nru baresip-1.1.0/debian/rules baresip-1.1.0/debian/rules --- baresip-1.1.0/debian/rules 2023-10-14 16:59:36.0 + +++ baresip-1.1.0/debian/rules 2024-04-10 20:52:08.0 + @@ -26,7 +26,7 @@ ffmpeg-mods = avcodec avfilter avformat swscale gstreamer-mods = gst gst_video gtk-mods = gtk -x11-mods = cairo omx pulse rst sdl vidinfo x11 x11grab +x11-mods = cairo pulse rst sdl vidinfo x11 x11grab DEB_MAKE_EXTRA_ARGS = V=1 PREFIX=/usr RELEASE=1 \ EXTRA_MODULES="$(core-mods-extra) avfilter swscale" \
Bug#961434: baresip-core: stack smashing detected with evdev module
Dear Maintainer, I could reproduce a stack smashing using the evdev module and as far as I see it is triggered because of the wrong memory size given to an ioctl in [1] giving the backtrace in [3]. A brief read of [2] suggests to give instead of EV_MAX the size in bytes really available. And a package built with attached patch does not show the stack smashing anymore. This stack smashing can also be seen in the current testing version. Kind regards, Bernhard [1] https://github.com/baresip/baresip/blob/master/modules/evdev/print.c#L49 [2] https://stackoverflow.com/questions/14273129/smashed-stack-when-iterating-over-int-pointers [3] (gdb) bt #0 0x77714427 in ioctl () at ../sysdeps/unix/syscall-template.S:78 #1 0x77fc4adf in print_events (fd=) at modules/evdev/print.c:49 #2 0x77fc492a in evdev_alloc (stp=0x77fca198 , dev=0x77fca100 "/dev/input/event0") at modules/evdev/evdev.c:251 #3 module_init () at modules/evdev/evdev.c:325 #4 0x77f93f82 in mod_load (mp=mp@entry=0x7fffd0d8, name=name@entry=0x7fffd0e0 "/usr/lib/baresip/modules/evdev.so") at src/mod/mod.c:137 #5 0x5556ce86 in load_module (modp=modp@entry=0x0, modpath=, name=0x7fffe120) at src/module.c:88 #6 0x5556cf9e in module_handler (val=, arg=) at src/module.c:105 #7 0x77f94811 in conf_apply (conf=conf@entry=0x555ac760, name=name@entry=0x555790c2 "module", ch=ch@entry=0x5556cf90 , arg=arg@entry=0x7fffe380) at src/conf/conf.c:285 #8 0x5556d0c1 in module_init (conf=0x555ac760) at src/module.c:151 #9 0x55569950 in conf_modules () at src/conf.c:385 #10 0xf467 in main (argc=, argv=) at src/main.c:242 Description: Use right size for ioctl Author: Bernhard Übelacker Bug-Debian: https://bugs.debian.org/961434 Forwarded: no Last-Update: 2020-10-15 --- baresip-0.6.1.orig/modules/evdev/print.c +++ baresip-0.6.1/modules/evdev/print.c @@ -46,7 +46,7 @@ void print_events(int fd) int i; memset(evtype_bitmask, 0, sizeof(evtype_bitmask)); - if (ioctl(fd, EVIOCGBIT(0, EV_MAX), evtype_bitmask) < 0) { + if (ioctl(fd, EVIOCGBIT(0, sizeof(evtype_bitmask)), evtype_bitmask) < 0) { warning("evdev: ioctl EVIOCGBIT (%m)\n", errno); return; } # Unstable amd64 qemu VM 2020-10-14 apt update apt dist-upgrade apt install systemd-coredump mc htop fakeroot gdb rr baresip baresip-core-dbgsym libre0-dbgsym apt build-dep libre0 apt build-dep baresip echo 1 > /proc/sys/kernel/perf_event_paranoid mkdir /home/benutzer/source/libre0/orig -p cd/home/benutzer/source/libre0/orig apt source libre0 cd mkdir /home/benutzer/source/baresip-core/orig -p cd/home/benutzer/source/baresip-core/orig apt source baresip-core cd mc -e /home/benutzer/.baresip/accounts # configure account baresip d sip:...@fritz.box benutzer@debian:~$ baresip baresip v1.0.0 Copyright (C) 2010 - 2020 Alfred E. Heggestad et al. Local network address: IPv4=ens4|10.0.2.15 IPv6=ens4|fec0::5054:ff:fe12:3456 aucodec: PCMU/8000/1 aucodec: PCMA/8000/1 ausrc: alsa auplay: alsa medianat: stun medianat: turn medianat: ice Populated 1 account Populated 3 contacts Populated 2 audio codecs Populated 0 audio filters Populated 0 video codecs Populated 0 video filters baresip is ready. >sip:...@fritz.box ua: using best effort AF: af=AF_INET call: connecting to 'sip:...@fritz.box'.. *** stack smashing detected ***: terminated Abgebrochen (Speicherabzug geschrieben) root@debian:~# journalctl -e ... Okt 14 17:49:57 debian systemd[1]: Started Process Core Dump (PID 11453/UID 0). Okt 14 17:49:58 debian systemd-coredump[11454]: Process 11451 (baresip) of user 1000 dumped core. Stack trace of thread 11451: #0 0x7f7c802e8c41 __GI_raise (libc.so.6 + 0x3bc41) #1 0x7f7c802d2537 __GI_abort (libc.so.6 + 0x25537) #2 0x7f7c8032b6c8 __libc_message (libc.so.6 + 0x7e6c8) #3 0x7f7c803ba5b2 __GI___fortify_fail (libc.so.6 + 0x10d5b2) #4 0x7f7c803ba590 __stack_chk_fail (libc.so.6 + 0x10d590) #5 0x55ccf95ed3da call_connect (baresip + 0x143da) #6 0x55ccf95fb35c ua_connect (baresip + 0x2235c) #7 0x7f7c7fdb9e1f n/a (menu.so + 0x4e1f) #8 0x55ccf95efaa6 n/a (baresip + 0x16aa6) #9 0x7f7c8067348a n/a (stdio.so + 0x148a) #10 0x7f7c8063f2dc n/a (libre.so.0 + 0x562dc)
Bug#961434: baresip-core: stack smashing detected with evdev module
Package: baresip-core Version: 0.6.1-1 Severity: normal -- System Information: Debian Release: 10.4 APT prefers stable APT policy: (185, 'stable'), (183, 'stable-updates'), (175, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-1-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE=ru_RU:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages baresip-core depends on: ii libasound21.1.8-1 ii libavahi-client3 0.7-4+b1 ii libavahi-common3 0.7-4+b1 ii libc6 2.30-4 ii libcodec2-0.8.1 0.8.1-2 ii libdirectfb-1.7-7 1.7.7-9 ii libgsm1 1.0.18-2 ii libjack-jackd2-0 [libjack-0.125] 1.9.12~dfsg-2 ii libmosquitto1 1.5.7-1+deb10u1 ii libmpg123-0 1.25.10-2 ii libopencore-amrnb00.1.3-2.1+b2 ii libopencore-amrwb00.1.3-2.1+b2 ii libopus0 1.3-1 ii libpng16-16 1.6.36-6 ii libportaudio2 19.6.0-1 ii libre00.6.0-2 ii librem0 0.6.0-1 ii libsndfile1 1.0.28-6 ii libsndio7.0 1.5.0-3 ii libspandsp2 0.0.6+dfsg-2 ii libspeexdsp1 1.2~rc1.2-1+b2 ii libssl1.1 1.1.1d-0+deb10u3 ii libtwolame0 0.3.13-4 ii libvo-amrwbenc0 0.1.3-1+b1 ii libvpx5 1.7.0-3+deb10u1 ii zlib1g1:1.2.11.dfsg-1 Versions of packages baresip-core recommends: pn avahi-daemon Versions of packages baresip-core suggests: ii baresip-ffmpeg 0.6.1-1 pn baresip-gstreamer ii baresip-gtk0.6.1-1 pn baresip-x11 -- no debconf information