ACPI daemon Project (acpid) / Bugs / #24 acpid buffer overflow

#24 acpid buffer overflow

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2011-10-15

Created: 2011-10-15

Creator: Anonymous

Private: No

fancy buffer in acpid by rfdslabs - rafaelsilva@rfdslabs.com.br

Kernel Version 2.6.32-5-vserver-amd64 #1 SMP Wed Sep 14 01:27:56 UTC 2011 x86_64 GNU/Linux

vmfindbugs:~# cat /etc/debian_version
6.0.3

root@fwsingular:~# acpid -v
acpid-2.0.7

(gdb) run -s AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Starting program: /usr/sbin/acpid -s AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x0000414141414141 in ?? ()
(gdb) i r
rax 0xffffffff 4294967295
rbx 0x4141414141414141 4702111234474983745
rcx 0xffffffffffffffa8 -88
rdx 0x62 98
rsi 0x7fffffffe6b0 140737488348848
rdi 0x9 9
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffe740 0x7fffffffe740
r8 0x16 22
r9 0x70 112
r10 0x1 1
r11 0x202 514
r12 0x4141414141414141 4702111234474983745
r13 0x7fffffffeb80 140737488350080
r14 0x0 0
r15 0x0 0
rip 0x414141414141 0x414141414141
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0

Discussion

Ted Felix - 2011-10-17

Thanks for the report. I have confirmed this in acpid 2.0.12 and will work on a fix for the next release (2.0.13) on 11/15/2011.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tim Hockin - 2011-10-17

Fix committed to my tree. Ted, feel free to pick it up. I'm not actively maintaining, really.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ted Felix - 2011-10-17

Thanks, Tim. That appears to be the exact same change I made. I'm thinking we should abort and issue a message, however, as the user will be perplexed when the name of their socket gets truncated. This could be especially serious if they happen to have specified a really long path. It might create the socket file in some unexpected place with an unexpected name.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ted Felix - 2011-10-17

Actually, my change is slightly different (now that I figured out how to diff with CVS under sourceforge). I subtract one from the third argument to strncpy() to guarantee that the result is always NULL terminated (the buffer gets zeroed out in the memset() above)

strncpy(uds_addr.sun_path, name, sizeof(uds_addr.sun_path) - 1);

I think that's correct.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tim Hockin - 2011-10-18

I just committed a change to error out in case of overflow.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ted Felix - 2011-11-16

I've just released acpid 2.0.13 which fixes this issue.

http://tedfelix.com/linux/acpid-netlink.html

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

acpid buffer overflow

Group

Searches

Help

#24 acpid buffer overflow

Discussion