I have thanksfulness about using strace.
Yesterday i found a bug in the strace, i guess this is a stack buffer
overflow.
So i report it. Thank you.
Tested Version : strace-4.9, strace-4.8
Environment : Ubuntu 14.04.1 LTS x86_64
Details:
stack buffer overflow in startup_child() strace.c
Input length check could be bypassed using long string without having '/',
and the strcpy() function in PATH concat processing code starts to
overwrite stack data.
-------------- TEST PAYLOAD
abc@ubuntu:~/strace-4.9$ ./strace `perl -e 'print "a"x5042'`
Segmentation fault
-------------- BELOW is GDB output
(gdb) r `perl -e 'print "a"x5042'`
Starting program: /home/abc/strace-4.9/strace `perl -e 'print "a"x5042'`
Program received signal SIGSEGV, Segmentation fault.
__GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59
"LANGUAGE") at getenv.c:85
85 getenv.c: No such file or directory.
(gdb) bt
#0 __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name@entry=0x7fe3b8107b59
"LANGUAGE") at getenv.c:85
#1 0x00007fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3
<_nl_category_names+51> "LC_MESSAGES", category=5)
at dcigettext.c:1372
#2 __dcigettext (domainname=0x7fe3b8107a99 <_libc_intl_domainname> "libc",
msgid1=0x7fe3b81081ac "File name too long",
msgid2=msgid2@entry=0x0, plural=plural@entry=0, n=n@entry=0,
category=category@entry=5) at dcigettext.c:573
#3 0x00007fe3b7fbb5df in __GI___dcgettext (domainname=<optimized out>,
msgid=<optimized out>, category=category@entry=5)
at dcgettext.c:52
#4 0x00007fe3b801398e in __GI___strerror_r (errnum=errnum@entry=36,
buf=buf@entry=0x0, buflen=buflen@entry=0) at _strerror.c:71
#5 0x00007fe3b80138cf in strerror (errnum=errnum@entry=36) at strerror.c:32
#6 0x000000000041230f in verror_msg (err_no=36, fmt=fmt@entry=0x4273da
"Can't stat '%s'", p=p@entry=0x7fff6b28dbf8) at strace.c:277
#7 0x000000000041315a in perror_msg_and_die (fmt=fmt@entry=0x4273da "Can't
stat '%s'") at strace.c:323
#8 0x000000000041371e in startup_child (argv=0x7fff6b28f160) at
strace.c:1220
#9 0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Strace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/strace-devel
