[Bug 2091440] Re: [UBUNTU 24.10] lftp: buffer overflow detected when accessing z/VM FTP server and changing the directory

Christian Ehrhardt Mon, 21 Jul 2025 09:50:49 -0700

Different examples

#8  0x00007ffff793ed35 in __GI___strcpy_chk (dest=0x7fffffffbdbe "",
src=0x7fffffffbddc "S1LP1", destlen=4) at ./debug/strcpy_chk.c:30


#8  0x00007ffff793e4b5 in __GI___strcpy_chk (dest=0x7fffffffbdae "",
src=0x7fffffffbdcc "hwe0003.191", destlen=10) at ./debug/strcpy_chk.c:30

See how this is too short by one at least?
Debugging this together we found that the s390x ftp does deliver a path which 
is not absolute nor really relative

BTW we can break it with debug enabled that helps debugging.
To do so we need to keep -O2 and all the LTO and extra fortification.

It delivers this:
(gdb) p path2
$5 = 0x7fffffffbc40 "HWE0003.191/S1LP1"

the lftp code then adds the prefix "~/"
And that is added to the tokenized string that is built which breaks the length.

This fails when ! AbsolutePath

Dirty fix which worked in a try
instead of
      char *path2=alloca_strdup(path); // to re-assemble
use
      char *path2=alloca_strdup2(path,2); // to re-assemble + add space for 
potential ~/
^^ code suggestion credit goes to by Jonas Jelten

See:

Breakpoint 1, Ftp::SendCWD (this=this@entry=0x555555741b50, 
path=path@entry=0x5555557ad7b0 "HWE0003.191/S1LP1", path_url=0x0, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/ftpclass.cc:622
622     {
(gdb) n
624        if(QueryTriBool("ftp:use-tvfs",0,conn->tvfs_supported)) {
(gdb) n
628        } else if(path_url) {
(gdb) 
653           char *path1=alloca_strdup(path); // to split it
(gdb) 
654           char *path2=alloca_strdup(path); // to re-assemble
(gdb) p path1
$3 = 0x7fffffffbc60 "HWE0003.191/S1LP1"
(gdb) p path2
$4 = <optimized out>
(gdb) n
655           if(AbsolutePath(path)) {
(gdb) p path2
$5 = 0x7fffffffbc40 "HWE0003.191/S1LP1"
(gdb) n
687              strcpy(path2,"~");
(gdb) 
688              if(path1[0]=='~') {
(gdb) p path2
$6 = 0x7fffffffbc40 "~"
(gdb) n
694              if(real_cwd && strcmp(real_cwd,"~")
(gdb) p real_cwd
$7 = {<xstring0> = {buf = 0x55555575f2e0 "HWE0003.191"}, size = 12, len = 11}
(gdb) n
695              && (!home.path || strcmp(real_cwd,home.path))) {
(gdb) n
701           int path2_len=strlen(path2);
(gdb) p path2_len
$8 = <optimized out>
(gdb) p path2
$9 = 0x7fffffffbc40 "~"
(gdb) n
702           for(char *dir=strtok(path1,"/"); dir; dir=strtok(NULL,"/")) {
(gdb) p path2_len
$10 = 1
(gdb) p path1
$11 = 0x7fffffffbc60 "HWE0003.191/S1LP1"
(gdb) n
703              if(path2_len>0 && path2[path2_len-1]!='/') {
(gdb) n
704                 strcpy(path2+path2_len,"/");
(gdb) n
705                 path2_len++;
(gdb) n
707              strcpy(path2+path2_len,dir);
(gdb) p path2_len
$12 = 2
(gdb) p path2
$13 = 0x7fffffffbc40 "~/"
(gdb) p dir
$14 = 0x7fffffffbc60 "HWE0003.191"
(gdb) n
708              path2_len+=strlen(dir);
(gdb) n
Ftp::SendCWD (this=this@entry=0x555555741b50, path=path@entry=0x5555557ad7b0 
"HWE0003.191/S1LP1", path_url=<optimized out>, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/Ref.h:37
37         T *operator->() const { return ptr; }
(gdb) return 
Make Ftp::SendCWD(char const*, char const*, Ftp::Expect::expect_t) return now? 
(y or n) n
Not confirmed
(gdb) n
Ftp::SendCWD (this=this@entry=0x555555741b50, path=path@entry=0x5555557ad7b0 
"HWE0003.191/S1LP1", path_url=<optimized out>, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/ftpclass.cc:710
710              expect->Push(new Expect(Expect::CWD_CURR,path2));
(gdb) n
702           for(char *dir=strtok(path1,"/"); dir; dir=strtok(NULL,"/")) {
(gdb) n
703              if(path2_len>0 && path2[path2_len-1]!='/') {
(gdb) p path2_len
$15 = 13
(gdb) p dir
$16 = 0x7fffffffbc6c "S1LP1"
(gdb) p path2
$17 = 0x7fffffffbc40 "~/HWE0003.191"
(gdb) n
704                 strcpy(path2+path2_len,"/");
(gdb) n
705                 path2_len++;
(gdb) n
707              strcpy(path2+path2_len,dir);
(gdb) p path2_len
$18 = 14
(gdb) p path2
$19 = 0x7fffffffbc40 "~/HWE0003.191/"
(gdb) p dir
$20 = 0x7fffffffbc6c "S1LP1"
(gdb) n
*** buffer overflow detected ***: terminated

Program received signal SIGABRT, Aborted.
Download failed: Invalid argument.  Continuing without source file 
./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) at 
./nptl/pthread_kill.c:44
warning: 44     ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) 
at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (threadid=<optimized out>, signo=6) at 
./nptl/pthread_kill.c:89
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at 
./nptl/pthread_kill.c:100
#3  0x00007ffff784279e in __GI_raise (sig=sig@entry=6) at 
../sysdeps/posix/raise.c:26
#4  0x00007ffff78258cd in __GI_abort () at ./stdlib/abort.c:73
#5  0x00007ffff7826909 in __libc_message_impl (fmt=fmt@entry=0x7ffff79d879a 
"*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:134
#6  0x00007ffff793d8f9 in __GI___fortify_fail (msg=msg@entry=0x7ffff79d8781 
"buffer overflow detected") at ./debug/fortify_fail.c:24
#7  0x00007ffff793d274 in __GI___chk_fail () at ./debug/chk_fail.c:28
#8  0x00007ffff793ed35 in __GI___strcpy_chk (dest=0x7fffffffbc4e "", 
src=0x7fffffffbc6c "S1LP1", destlen=4) at ./debug/strcpy_chk.c:30
#9  0x0000555555640920 in strcpy (__dest=<optimized out>, __src=<optimized 
out>, __dest=<optimized out>, __src=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:81
#10 Ftp::SendCWD (this=this@entry=0x555555741b50, 
path=path@entry=0x5555557ad7b0 "HWE0003.191/S1LP1", path_url=<optimized out>, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/ftpclass.cc:707
#11 0x00005555556471a4 in Ftp::Do (this=0x555555741b50) at 
/root/lftp-4.9.2/src/xstring.h:115
#12 0x0000555555608a5a in SMTask::Roll (task=0x555555741b50) at 
/root/lftp-4.9.2/src/SMTask.cc:171
#13 SMTask::Roll (task=0x555555741b50) at /root/lftp-4.9.2/src/SMTask.cc:165
#14 0x00005555555b7ba5 in SMTask::Roll (this=<optimized out>, this=<optimized 
out>) at /root/lftp-4.9.2/src/SMTask.h:123
#15 CmdExec::builtin_cd (this=0x555555732810) at 
/root/lftp-4.9.2/src/commands.cc:642
#16 0x00005555555abd62 in CmdExec::exec_parsed_command 
(this=this@entry=0x555555732810) at /root/lftp-4.9.2/src/CmdExec.cc:237
#17 0x00005555555ae875 in CmdExec::Do (this=0x555555732810) at 
/root/lftp-4.9.2/src/CmdExec.cc:500
#18 0x0000555555608b95 in SMTask::ScheduleThis (this=0x555555732810) at 
/root/lftp-4.9.2/src/SMTask.cc:209
#19 0x000055555560c52a in SMTask::Schedule () at 
/root/lftp-4.9.2/src/SMTask.cc:248
#20 0x00005555555a842d in Job::WaitDone (this=0x555555732810) at 
/root/lftp-4.9.2/src/Job.cc:557
#21 0x00005555555a1cef in main (argc=4, argv=0x7fffffffe228) at 
/root/lftp-4.9.2/src/SMTask.h:164

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2091440

Title:
  [UBUNTU 24.10] lftp: buffer overflow detected when accessing z/VM FTP
  server and changing the directory

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2091440/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2091440] Re: [UBUNTU 24.10] lftp: buffer overflow detected when accessing z/VM FTP server and changing the directory

Reply via email to