On Thu, Nov 06, 2008 at 02:41:31PM +0100, Denys Vlasenko wrote: > On Thu, 2008-11-06 at 14:24 +0300, Dmitry V. Levin wrote: > > On Wed, Nov 05, 2008 at 07:18:45PM +0100, Denys Vlasenko wrote: > > > On Wed, 2008-11-05 at 15:16 +0100, Denys Vlasenko wrote: > > > > Before this patch, -s N shows N+1 chars in strings. > > > > More annoyingly, it shows this for shorter strings: > > > > > > > > write(1, "hi\n"..., 3) = 3 > > > > > > > > After patch: > > > > > > > > write(1, "hi\n", 3) = 3 > > > > > > > > Patch author is Jeff Bastian [EMAIL PROTECTED] > > > > > > > > Patch is below. Please apply. > > > > > > It appears that the bug this patch fixes causes buffer overruns > > > and corrupts memory since we malloc just enough space for N chars > > > + NUL but then try to stuff N+1 chars + NUL there. > > > > > > See https://bugzilla.redhat.com/show_bug.cgi?id=466877 > > > > This bug is not available for public access. > > Hmmm yes, whoever created it was probably feeling too paranoid... > > But the bug itself is not secret at all, it's just "strace -Tdf firefox" > crashing...
Whoever created this bug report is correct: if strace can be crashed by application, then this issue could be considered as security sensitive. > This is what I wrote in that bug's comment: > > =========================== > Non-deterministic, happens in about half of runs. > > strace -f firefox seems to be enough. Adding -T and -d might make it > happen more frequently, I didn't perform statistical analysis. :) > > Vanilla (built from source tarball locally) strace-4.5.17 exhibits it > too, although it does not print glibc malloc debug assertion, it just > segfaults. Understandable, since it seems to be a case of memory > corruption. > ============================ Indeed, unpatched printstr() may write up to 4 bytes beyond the heap buffer bounds, which may lead to memory corruption etc. There is a simple reproducer: $ strace -o /dev/null -qxxf sh -c 'for i in `seq 0 1`; do echo -n 123456789012345678901234567890123456789012345678901234567890123456789012345678901;ls /;done' >/dev/null Segmentation fault That is, an application may do specially crafted sequence of syscalls which will result to predicted malloc's, free's and invalid writes in strace process and cause controllable strace crash or maybe even more interesting things. I commited the fix. -- ldv
pgp0ZetAAQ0F8.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Strace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/strace-devel
