#36 [patch] Buffer overflow loading PG campaign on Ubuntu

closed-fixed
nobody
None
6
2010-09-20
2009-01-05
Bryce Harrington
No

Ubuntu is now using the fortify-sources gcc option for catching buffer overflows, and caught one when I tried to load the default PG campaign in lgeneral-1.2beta-13.

(gdb) run
Starting program: /usr/local/bin/lgeneral
[Thread debugging using libthread_db enabled]
LGeneral 1.2beta-13
Copyright 2001-2005 Michael Speck
Published under GNU GPL
---
Looking up data in: /usr/local/share/games/lgeneral
[New Thread 0x7fb9e5ed8700 (LWP 2754)]
[New Thread 0x7fb9e14b4950 (LWP 2757)]
[New Thread 0x7fb9e035b950 (LWP 2758)]
there is no soundcard
*** buffer overflow detected ***: /usr/local/bin/lgeneral terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7fb9e52f1307]
/lib/libc.so.6[0x7fb9e52ef1b0]
/lib/libc.so.6[0x7fb9e52ee549]
/lib/libc.so.6(_IO_default_xsputn+0x96)[0x7fb9e5268426]
/lib/libc.so.6(_IO_vfprintf+0x348d)[0x7fb9e523ad9d]
/lib/libc.so.6(__vsprintf_chk+0x9d)[0x7fb9e52ee5ed]
/lib/libc.so.6(__sprintf_chk+0x80)[0x7fb9e52ee530]
/usr/local/bin/lgeneral[0x425c4f]
/usr/local/bin/lgeneral[0x42ca20]
/usr/local/bin/lgeneral[0x431dad]
/usr/local/bin/lgeneral[0x402f3f]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7fb9e5210586]
/usr/local/bin/lgeneral[0x402a79]
======= Memory map: ========
00400000-0043d000 r-xp 00000000 08:01 5505445 /usr/local/bin/lgeneral
0063c000-0063d000 r--p 0003c000 08:01 5505445 /usr/local/bin/lgeneral
0063d000-0063e000 rw-p 0003d000 08:01 5505445 /usr/local/bin/lgeneral
0063e000-00661000 rw-p 0063e000 00:00 0
00c74000-01d44000 rw-p 00c74000 00:00 0 [heap]
7fb9dfb5b000-7fb9dfb5c000 ---p 7fb9dfb5b000 00:00 0
7fb9dfb5c000-7fb9e035c000 rw-p 7fb9dfb5c000 00:00 0
7fb9e035c000-7fb9e0360000 r-xp 00000000 08:01 24182875 /usr/lib/alsa-lib/libasound_module_rate_speexrate.so
7fb9e0360000-7fb9e055f000 ---p 00004000 08:01 24182875 /usr/lib/alsa-lib/libasound_module_rate_speexrate.so
7fb9e055f000-7fb9e0560000 r--p 00003000 08:01 24182875 /usr/lib/alsa-lib/libasound_module_rate_speexrate.so
7fb9e0560000-7fb9e0561000 rw-p 00004000 08:01 24182875 /usr/lib/alsa-lib/libasound_module_rate_speexrate.so
7fb9e0561000-7fb9e0cb4000 rw-s 00000000 00:09 6553621 /SYSV00000000 (deleted)
7fb9e0cb4000-7fb9e0cb5000 ---p 7fb9e0cb4000 00:00 0
7fb9e0cb5000-7fb9e14b5000 rw-p 7fb9e0cb5000 00:00 0
7fb9e14b5000-7fb9e14c1000 r-xp 00000000 08:01 18727299 /lib/libnss_files-2.9.so
7fb9e14c1000-7fb9e16c0000 ---p 0000c000 08:01 18727299 /lib/libnss_files-2.9.so
7fb9e16c0000-7fb9e16c1000 r--p 0000b000 08:01 18727299 /lib/libnss_files-2.9.so
7fb9e16c1000-7fb9e16c2000 rw-p 0000c000 08:01 18727299 /lib/libnss_files-2.9.so
7fb9e16c2000-7fb9e16cc000 r-xp 00000000 08:01 18727301 /lib/libnss_nis-2.9.so
7fb9e16cc000-7fb9e18cb000 ---p 0000a000 08:01 18727301 /lib/libnss_nis-2.9.so
7fb9e18cb000-7fb9e18cc000 r--p 00009000 08:01 18727301 /lib/libnss_nis-2.9.so
7fb9e18cc000-7fb9e18cd000 rw-p 0000a000 08:01 18727301 /lib/libnss_nis-2.9.so
7fb9e18cd000-7fb9e18e3000 r-xp 00000000 08:01 18727058 /lib/libnsl-2.9.so
7fb9e18e3000-7fb9e1ae3000 ---p 00016000 08:01 18727058 /lib/libnsl-2.9.so
7fb9e1ae3000-7fb9e1ae4000 r--p 00016000 08:01 18727058 /lib/libnsl-2.9.so
7fb9e1ae4000-7fb9e1ae5000 rw-p 00017000 08:01 18727058 /lib/libnsl-2.9.so
7fb9e1ae5000-7fb9e1ae7000 rw-p 7fb9e1ae5000 00:00 0
7fb9e1ae7000-7fb9e1aef000 r-xp 00000000 08:01 18727062 /lib/libnss_compat-2.9.so
7fb9e1aef000-7fb9e1cee000 ---p 00008000 08:01 18727062 /lib/libnss_compat-2.9.so
7fb9e1cee000-7fb9e1cef000 r--p 00007000 08:01 18727062 /lib/libnss_compat-2.9.so
7fb9e1cef000-7fb9e1cf0000 rw-p 00008000 08:01 18727062 /lib/libnss_compat-2.9.so
7fb9e1cf0000-7fb9e1cf5000 r-xp 00000000 08:01 8234581 /usr/lib/libXfixes.so.3.1.0
7fb9e1cf5000-7fb9e1ef4000 ---p 00005000 08:01 8234581 /usr/lib/libXfixes.so.3.1.0
7fb9e1ef4000-7fb9e1ef5000 rw-p 00004000 08:01 8234581 /usr/lib/libXfixes.so.3.1.0
7fb9e1ef5000-7fb9e1efe000 r-xp 00000000 08:01 8234571 /usr/lib/libXcursor.so.1.0.2
7fb9e1efe000-7fb9e20fe000 ---p 00009000 08:01 8234571 /usr/lib/libXcursor.so.1.0.2
7fb9e20fe000-7fb9e20ff000 rw-p 00009000 08:01 8234571 /usr/lib/libXcursor.so.1.0.2
7fb9e20ff000-7fb9e2106000 r-xp 00000000 08:01 8235404 /usr/lib/libXrandr.so.2.2.0
7fb9e2106000-7fb9e2306000 ---p 00007000 08:01 8235404 /usr/lib/libXrandr.so.2.2.0
7fb9e2306000-7fb9e2307000 r--p 00007000 08:01 8235404 /usr/lib/libXrandr.so.2.2.0
7fb9e2307000-7fb9e2308000 rw-p 00008000 08:01 8235404 /usr/lib/libXrandr.so.2.2.0
7fb9e2308000-7fb9e2311000 r-xp 00000000 08:01 8236714 /usr/lib/libXrender.so.1.3.0
7fb9e2311000-7fb9e2510000 ---p 00009000 08:01 8236714 /usr/lib/libXrender.so.1.3.0
7fb9e2510000-7fb9e2511000 r--p 00008000 08:01 8236714 /usr/lib/libXrender.so.1.3.0
7fb9e2511000-7fb9e2512000 rw-p 00009000 08:01 8236714 /usr/lib/libXrender.so.1.3.0
7fb9e2512000-7fb9e2522000 r-xp 00000000 08:01 8235684 /usr/lib/libXext.so.6.4.0
7fb9e2522000-7fb9e2722000 ---p 00010000 08:01 8235684 /usr/lib/libXext.so.6.4.0
7fb9e2722000-7fb9e2724000 rw-p 00010000 08:01 8235684 /usr/lib/libXext.so.6.4.0
7fb9e2724000-7fb9e2729000 r-xp 00000000 08:01 8235629 /usr/lib/libXdmcp.so.6.0.0
7fb9e2729000-7fb9e2928000 ---p 00005000 08:01 8235629 /usr/lib/libXdmcp.so.6.0.0
7fb9e2928000-7fb9e2929000 rw-p 00004000 08:01 8235629 /usr/lib/libXdmcp.so.6.0.0
7fb9e2929000-7fb9e292b000 r-xp 00000000 08:01 8235351 /usr/lib/libXau.so.6.0.0
7fb9e292b000-7fb9e2b2a000 ---p 00002000 08:01 8235351 /usr/lib/libXau.so.6.0.0
7fb9e2b2a000-7fb9e2b2b000 rw-p 00001000 08:01 8235351 /usr/lib/libXau.so.6.0.0
7fb9e2b2b000-7fb9e2b46000 r-xp 00000000 08:01 8235651 /usr/lib/libxcb.so.1.0.0
7fb9e2b46000-7fb9e2d45000 ---p 0001b000 08:01 8235651 /usr/lib/libxcb.so.1.0.0
7fb9e2d45000-7fb9e2d46000 r--p 0001a000 08:01 8235651 /usr/lib/libxcb.so.1.0.0
7fb9e2d46000-7fb9e2d47000 rw-p 0001b000 08:01 8235651 /usr/lib/libxcb.so.1.0.0
7fb9e2d47000-7fb9e2d48000 r-xp 00000000 08:01 8235655 /usr/lib/libxcb-xlib.so.0.0.0
7fb9e2d48000-7fb9e2f47000 ---p 00001000 08:01 8235655 /usr/lib/libxcb-xlib.so.0.0.0
7fb9e2f47000-7fb9e2f48000 r--p 00000000 08:01 8235655 /usr/lib/libxcb-xlib.so.0.0.0
7fb9e2f48000-7fb9e2f49000 rw-p 00001000 08:01 8235655 /usr/lib/libxcb-xlib.so.0.0.0
7fb9e2f49000-7fb9e304c000 r-xp 00000000 08:01 8235085 /usr/lib/libX11.so.6.2.0
7fb9e304c000-7fb9e324c000 ---p 00103000 08:01 8235085 /usr/lib/libX11.so.6.2.0
7fb9e324c000-7fb9e324d000 r--p 00103000 08:01 8235085 /usr/lib/libX11.so.6.2.0
7fb9e324d000-7fb9e3251000 rw-p 00104000 08:01 8235085 /usr/lib/libX11.so.6.2.0
7fb9e3251000-7fb9e3256000 r-xp 00000000 08:01 8234649 /usr/lib/libogg.so.0.5.3
7fb9e3256000-7fb9e3455000 ---p 00005000 08:01 8234649 /usr/lib/libogg.so.0.5.3
7fb9e3455000-7fb9e3456000 r--p 00004000 08:01 8234649 /usr/lib/libogg.so.0.5.3
7fb9e3456000-7fb9e3457000 rw-p 00005000 08:01 8234649 /usr/lib/libogg.so.0.5.3
7fb9e3457000-7fb9e345e000 r-xp 00000000 08:01 18727306 /lib/librt-2.9.so
7fb9e345e000-7fb9e365d000 ---p 00007000 08:01 18727306 /lib/librt-2.9.so
7fb9e365d000-7fb9e365e000 r--p 00006000 08:01 18727306 /lib/librt-2.9.so
7fb9e365e000-7fb9e365f000 rw-p 00007000 08:01 18727306 /lib/librt-2.9.so
7fb9e365f000-7fb9e3675000 r-xp 00000000 08:01 4907635 /lib/libgcc_s.so.1
7fb9e3675000-7fb9e3875000 ---p 00016000 08:01 4907635 /lib/libgcc_s.so.1
7fb9e3875000-7fb9e3876000 r--p 00016000 08:01 4907635 /lib/libgcc_s.so.1
7fb9e3876000-7fb9e3877000 rw-p 00017000 08:01 4907635 /lib/libgcc_s.so.1
7fb9e3877000-7fb9e3968000 r-xp 00000000 08:01 8234210 /usr/lib/libstdc++.so.6.0.10
7fb9e3968000-7fb9e3b68000 ---p 000f1000 08:01 8234210 /usr/lib/libstdc++.so.6.0.10
7fb9e3b68000-7fb9e3b6f000 r--p 000f1000 08:01 8234210 /usr/lib/libstdc++.so.6.0.10
7fb9e3b6f000-7fb9e3b71000 rw-p 000f8000 08:01 8234210 /usr/lib/libstdc++.so.6.0.10
7fb9e3b71000-7fb9e3b84000 rw-p 7fb9e3b71000 00:00 0
7fb9e3b84000-7fb9e3ba3000 r-xp 00000000 08:01 8235369 /usr/lib/libvorbis.so.0.4.0
7fb9e3ba3000-7fb9e3da2000 ---p 0001f000 08:01 8235369 /usr/lib/libvorbis.so.0.4.0
7fb9e3da2000-7fb9e3da3000 r--p 0001e
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fb9e5ed8700 (LWP 2754)]
0x00007fb9e5224fa5 in raise () from /lib/libc.so.6
(gdb) bt full
#0 0x00007fb9e5224fa5 in raise () from /lib/libc.so.6
No symbol table info available.
#1 0x00007fb9e5226b13 in abort () from /lib/libc.so.6
No symbol table info available.
#2 0x00007fb9e5264228 in ?? () from /lib/libc.so.6
No symbol table info available.
#3 0x00007fb9e52f1307 in __fortify_fail () from /lib/libc.so.6
No symbol table info available.
#4 0x00007fb9e52ef1b0 in __chk_fail () from /lib/libc.so.6
No symbol table info available.
#5 0x00007fb9e52ee549 in ?? () from /lib/libc.so.6
No symbol table info available.
#6 0x00007fb9e5268426 in _IO_default_xsputn () from /lib/libc.so.6
No symbol table info available.
#7 0x00007fb9e523ad9d in vfprintf () from /lib/libc.so.6
No symbol table info available.
#8 0x00007fb9e52ee5ed in __vsprintf_chk () from /lib/libc.so.6
No symbol table info available.
#9 0x00007fb9e52ee530 in __sprintf_chk () from /lib/libc.so.6
No symbol table info available.
#10 0x0000000000425c4f in camp_load (fname=<value optimized out>) at /usr/include/bits/stdio2.h:34
key = "debriefings/major\000\000\000\000\000\000\000\000�U�\002\000\000\000@a_\001\002\000\000\000\030\000\000\000\000\000\000\000P�\000\000\000\000\000\000�\214�\001\000\000\000\000\000�U�\002\000\000\000�����\177\000\000`b_\001\000\000\000\000��������`b_\001\000\000\000\000`b_\001\000\000\000\000��������\001\000\000\000\000\000\000\000�����\177\000\000�eC\000\000\000\000\000\220d_\001\000\000\000\000��.��\177\000\000\001\200��\000\000\000\000`b_\001\000\000\000\000`b_\001\000\000\000\000`b_\001\000\000\000\000`b_\001\000\000\000\000"...
result = 0x1cf9720 "major"
next_desc = <value optimized out>
pd = (PData *) 0x15f6750
scen_ent = (PData *) 0x1d186e0
sub = <value optimized out>
pdent = (PData *) 0x1cf9000
entries = (List *) 0x1d18710
next_entries = (List *) 0x1cf93f0
path = "/usr/local/share/games/lgeneral/campaigns/PG\000\177\000\000\200\000���\177\000\000p\000�\000\000\000\000\000p\000�\000\000\000\000\000\030\001���\177\000\000\210\000�\000\000\000\000\000A\020\000\000\000\000\000\000 \001���\177\000\000TY���\177\000\000 \001���\177\000\000p\000�\000\000\000\000\000\030\001���\177\000\000� ���\177\000\000<\020\000\000\000\000\000\000@\001���\177\000\000\020\001���\177\000\000 \001���\177\000\0000\001���\177\000\000\---Type <return> to continue, or q <return> to quit---
000\001���\177\000\000�]_\001\000\000\000\000"...
str = "major>Your early capturing of Southern England enabled us to prepare defenses against the landing of the American reinforcements, and to decisively beat them. Consequentially, England has surrendered!"...
result = <value optimized out>
domain = 0x15f6260 "pg"
#11 0x000000000042ca20 in engine_init () at engine.c:4054
i = <value optimized out>
j = <value optimized out>
#12 0x0000000000431dad in engine_run () at engine.c:4215
reinit = 0
#13 0x0000000000402f3f in main (argc=1, argv=0x7fffedf003f8) at main.c:265
window_name = "LGeneral 1.2beta-13\000�\177\000\000�@C\000\000\000\000"

Discussion

  • Possible fix for above issue

     
    Attachments
    • priority: 5 --> 6
     
  • Michael Speck
    Michael Speck
    2010-09-20

    • status: open --> closed-fixed