Bug#961434: baresip-core: stack smashing detected with evdev module

2024-04-10 Thread Bastian Germann 

I am uploading a NMU to experimental in order to fix this.
Please consider confirming the transition #1055755 so that it can move to 
unstable.diff -Nru baresip-1.1.0/debian/changelog baresip-1.1.0/debian/changelog
--- baresip-1.1.0/debian/changelog  2023-10-14 16:59:36.0 +
+++ baresip-1.1.0/debian/changelog  2024-04-10 20:52:08.0 +
@@ -1,3 +1,11 @@
+baresip (1.1.0-0.2) experimental; urgency=medium
+
+  * Non-maintainer upload
+  * Remove OMX support (see #1065623)
+  * Fix stack smashing (Closes: #961434)
+
+ -- Bastian Germann   Wed, 10 Apr 2024 20:52:08 +
+
 baresip (1.1.0-0.1) experimental; urgency=medium
 
   * Non-maintainer upload
diff -Nru baresip-1.1.0/debian/control baresip-1.1.0/debian/control
--- baresip-1.1.0/debian/control2023-10-14 16:59:36.0 +
+++ baresip-1.1.0/debian/control2024-04-10 20:52:03.0 +
@@ -22,7 +22,6 @@
  libmosquitto-dev,
  libmp3lame-dev,
  libmpg123-dev,
- libomxil-bellagio-dev,
  libopenaptx-dev,
  libopencore-amrnb-dev,
  libopencore-amrwb-dev,
diff -Nru baresip-1.1.0/debian/patches/0002_70a7f45.patch 
baresip-1.1.0/debian/patches/0002_70a7f45.patch
--- baresip-1.1.0/debian/patches/0002_70a7f45.patch 1970-01-01 
00:00:00.0 +
+++ baresip-1.1.0/debian/patches/0002_70a7f45.patch 2024-04-10 
20:52:08.0 +
@@ -0,0 +1,39 @@
+Origin: upstream, 70a7f456668426a2b59911a04bf42f93a3b2bec6
+From: Sebastian Reimers 
+Date: Mon, 16 May 2022 08:19:14 +0200
+Subject: evdev: fix wrong ioctl size (#1843)
+
+found and fixed by debian:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961434
+---
+ modules/evdev/print.c | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/modules/evdev/print.c b/modules/evdev/print.c
+index f04f4af4e..6571c1f8f 100644
+--- a/modules/evdev/print.c
 b/modules/evdev/print.c
+@@ -42,11 +42,11 @@ void print_name(int fd)
+  */
+ void print_events(int fd)
+ {
+-  uint8_t evtype_bitmask[EV_MAX/8 + 1];
++  uint8_t evbitmask[EV_MAX/8 + 1];
+   int i;
+ 
+-  memset(evtype_bitmask, 0, sizeof(evtype_bitmask));
+-  if (ioctl(fd, EVIOCGBIT(0, EV_MAX), evtype_bitmask) < 0) {
++  memset(evbitmask, 0, sizeof(evbitmask));
++  if (ioctl(fd, EVIOCGBIT(0, sizeof(evbitmask)), evbitmask) < 0) {
+   warning("evdev: ioctl EVIOCGBIT (%m)\n", errno);
+   return;
+   }
+@@ -54,7 +54,7 @@ void print_events(int fd)
+   printf("Supported event types:\n");
+ 
+   for (i = 0; i < EV_MAX; i++) {
+-  if (!test_bit(i, evtype_bitmask))
++  if (!test_bit(i, evbitmask))
+   continue;
+ 
+   printf("  Event type 0x%02x ", i);
diff -Nru baresip-1.1.0/debian/patches/series 
baresip-1.1.0/debian/patches/series
--- baresip-1.1.0/debian/patches/series 2023-10-14 16:59:36.0 +
+++ baresip-1.1.0/debian/patches/series 2024-04-10 20:52:08.0 +
@@ -1,3 +1,4 @@
+0002_70a7f45.patch
 1002_system_header_locations.patch
 2001_drop_libre_so_check.patch
 2002_test_verbose.patch
diff -Nru baresip-1.1.0/debian/rules baresip-1.1.0/debian/rules
--- baresip-1.1.0/debian/rules  2023-10-14 16:59:36.0 +
+++ baresip-1.1.0/debian/rules  2024-04-10 20:52:08.0 +
@@ -26,7 +26,7 @@
 ffmpeg-mods = avcodec avfilter avformat swscale
 gstreamer-mods = gst gst_video
 gtk-mods = gtk
-x11-mods = cairo omx pulse rst sdl vidinfo x11 x11grab
+x11-mods = cairo pulse rst sdl vidinfo x11 x11grab
 
 DEB_MAKE_EXTRA_ARGS = V=1 PREFIX=/usr RELEASE=1 \
EXTRA_MODULES="$(core-mods-extra) avfilter swscale" \

Bug#961434: baresip-core: stack smashing detected with evdev module

2020-10-15 Thread Bernhard Übelacker 
Dear Maintainer,
I could reproduce a stack smashing using the evdev module and as far
as I see it is triggered because of the wrong memory size given to
an ioctl in [1] giving the backtrace in [3].

A brief read of [2] suggests to give instead of EV_MAX the size in bytes
really available. And a package built with attached patch does not
show the stack smashing anymore.

This stack smashing can also be seen in the current testing version.

Kind regards,
Bernhard


[1] https://github.com/baresip/baresip/blob/master/modules/evdev/print.c#L49

[2] 
https://stackoverflow.com/questions/14273129/smashed-stack-when-iterating-over-int-pointers

[3]
(gdb) bt
#0  0x77714427 in ioctl () at ../sysdeps/unix/syscall-template.S:78
#1  0x77fc4adf in print_events (fd=) at 
modules/evdev/print.c:49
#2  0x77fc492a in evdev_alloc (stp=0x77fca198 , 
dev=0x77fca100  "/dev/input/event0") at 
modules/evdev/evdev.c:251
#3  module_init () at modules/evdev/evdev.c:325
#4  0x77f93f82 in mod_load (mp=mp@entry=0x7fffd0d8, 
name=name@entry=0x7fffd0e0 "/usr/lib/baresip/modules/evdev.so") at 
src/mod/mod.c:137
#5  0x5556ce86 in load_module (modp=modp@entry=0x0, modpath=, name=0x7fffe120) at src/module.c:88
#6  0x5556cf9e in module_handler (val=, arg=) at src/module.c:105
#7  0x77f94811 in conf_apply (conf=conf@entry=0x555ac760, 
name=name@entry=0x555790c2 "module", ch=ch@entry=0x5556cf90 
, arg=arg@entry=0x7fffe380) at src/conf/conf.c:285
#8  0x5556d0c1 in module_init (conf=0x555ac760) at src/module.c:151
#9  0x55569950 in conf_modules () at src/conf.c:385
#10 0xf467 in main (argc=, argv=) at 
src/main.c:242
Description: Use right size for ioctl

Author: Bernhard Übelacker 
Bug-Debian: https://bugs.debian.org/961434
Forwarded: no
Last-Update: 2020-10-15

--- baresip-0.6.1.orig/modules/evdev/print.c
+++ baresip-0.6.1/modules/evdev/print.c
@@ -46,7 +46,7 @@ void print_events(int fd)
 	int i;
 
 	memset(evtype_bitmask, 0, sizeof(evtype_bitmask));
-	if (ioctl(fd, EVIOCGBIT(0, EV_MAX), evtype_bitmask) < 0) {
+	if (ioctl(fd, EVIOCGBIT(0, sizeof(evtype_bitmask)), evtype_bitmask) < 0) {
 		warning("evdev: ioctl EVIOCGBIT (%m)\n", errno);
 		return;
 	}


# Unstable amd64 qemu VM 2020-10-14


apt update
apt dist-upgrade


apt install systemd-coredump mc htop fakeroot gdb rr baresip 
baresip-core-dbgsym libre0-dbgsym
apt build-dep libre0
apt build-dep baresip
echo 1 > /proc/sys/kernel/perf_event_paranoid




mkdir /home/benutzer/source/libre0/orig -p
cd/home/benutzer/source/libre0/orig
apt source libre0
cd

mkdir /home/benutzer/source/baresip-core/orig -p
cd/home/benutzer/source/baresip-core/orig
apt source baresip-core
cd



mc -e /home/benutzer/.baresip/accounts
# configure account



baresip
d
sip:...@fritz.box



benutzer@debian:~$ baresip
baresip v1.0.0 Copyright (C) 2010 - 2020 Alfred E. Heggestad et al.
Local network address:  IPv4=ens4|10.0.2.15  IPv6=ens4|fec0::5054:ff:fe12:3456
aucodec: PCMU/8000/1
aucodec: PCMA/8000/1
ausrc: alsa
auplay: alsa
medianat: stun
medianat: turn
medianat: ice
Populated 1 account
Populated 3 contacts
Populated 2 audio codecs
Populated 0 audio filters
Populated 0 video codecs
Populated 0 video filters
baresip is ready.
>sip:...@fritz.box
ua: using best effort AF: af=AF_INET
call: connecting to 'sip:...@fritz.box'..
*** stack smashing detected ***: terminated
Abgebrochen (Speicherabzug geschrieben)



root@debian:~# journalctl -e
...
Okt 14 17:49:57 debian systemd[1]: Started Process Core Dump (PID 11453/UID 0).
Okt 14 17:49:58 debian systemd-coredump[11454]: Process 11451 (baresip) of user 
1000 dumped core.

Stack trace of thread 11451:
#0  0x7f7c802e8c41 
__GI_raise (libc.so.6 + 0x3bc41)
#1  0x7f7c802d2537 
__GI_abort (libc.so.6 + 0x25537)
#2  0x7f7c8032b6c8 
__libc_message (libc.so.6 + 0x7e6c8)
#3  0x7f7c803ba5b2 
__GI___fortify_fail (libc.so.6 + 0x10d5b2)
#4  0x7f7c803ba590 
__stack_chk_fail (libc.so.6 + 0x10d590)
#5  0x55ccf95ed3da 
call_connect (baresip + 0x143da)
#6  0x55ccf95fb35c 
ua_connect (baresip + 0x2235c)
#7  0x7f7c7fdb9e1f n/a 
(menu.so + 0x4e1f)
#8  0x55ccf95efaa6 n/a 
(baresip + 0x16aa6)
#9  0x7f7c8067348a n/a 
(stdio.so + 0x148a)
#10 0x7f7c8063f2dc n/a 
(libre.so.0 + 0x562dc)

Bug#961434: baresip-core: stack smashing detected with evdev module

2020-05-24 Thread Alexander Inyukhin 
Package: baresip-core
Version: 0.6.1-1
Severity: normal



-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (185, 'stable'), (183, 'stable-updates'), (175, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), 
LANGUAGE=ru_RU:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages baresip-core depends on:
ii  libasound21.1.8-1
ii  libavahi-client3  0.7-4+b1
ii  libavahi-common3  0.7-4+b1
ii  libc6 2.30-4
ii  libcodec2-0.8.1   0.8.1-2
ii  libdirectfb-1.7-7 1.7.7-9
ii  libgsm1   1.0.18-2
ii  libjack-jackd2-0 [libjack-0.125]  1.9.12~dfsg-2
ii  libmosquitto1 1.5.7-1+deb10u1
ii  libmpg123-0   1.25.10-2
ii  libopencore-amrnb00.1.3-2.1+b2
ii  libopencore-amrwb00.1.3-2.1+b2
ii  libopus0  1.3-1
ii  libpng16-16   1.6.36-6
ii  libportaudio2 19.6.0-1
ii  libre00.6.0-2
ii  librem0   0.6.0-1
ii  libsndfile1   1.0.28-6
ii  libsndio7.0   1.5.0-3
ii  libspandsp2   0.0.6+dfsg-2
ii  libspeexdsp1  1.2~rc1.2-1+b2
ii  libssl1.1 1.1.1d-0+deb10u3
ii  libtwolame0   0.3.13-4
ii  libvo-amrwbenc0   0.1.3-1+b1
ii  libvpx5   1.7.0-3+deb10u1
ii  zlib1g1:1.2.11.dfsg-1

Versions of packages baresip-core recommends:
pn  avahi-daemon  

Versions of packages baresip-core suggests:
ii  baresip-ffmpeg 0.6.1-1
pn  baresip-gstreamer  
ii  baresip-gtk0.6.1-1
pn  baresip-x11

-- no debconf information