Menu

#5 Possible security issue: Buffer overflow

v1.0 (example)
closed
nobody
None
5
2023-01-01
2009-08-06
Dennis Schridde
No

During compilation of empty GCC has several warnings:
empty.c: In function 'main':
empty.c:613: warning: ignoring return value of 'write', declared with attribute warn_unused_result
empty.c:616: warning: ignoring return value of 'write', declared with attribute warn_unused_result
empty.c:619: warning: ignoring return value of 'write', declared with attribute warn_unused_result
empty.c:626: warning: ignoring return value of 'write', declared with attribute warn_unused_result
empty.c:629: warning: ignoring return value of 'write', declared with attribute warn_unused_result
empty.c:632: warning: ignoring return value of 'write', declared with attribute warn_unused_result
empty.c: In function 'pidbyppid':
empty.c:689: warning: array subscript is above array bounds
In function 'strncat',
inlined from 'main' at empty.c:587:
/usr/include/bits/string3.h:153: warning: call to __builtin___strncat_chk might overflow destination buffer

At least the last warnings seem to have serious effects, as I get the following crashes (not yet reproducible):
*** buffer overflow detected ***: /usr/bin/empty terminated
======= Backtrace: =========
/lib/libc.so.6.1(__fortify_fail+0x1ddcd8)[0x200002205af94210]
/lib/libc.so.6.1(__chk_fail+0x1d9688)[0x200002205af8fbd0]
/lib/libc.so.6.1(__read_chk+0x1da0a8)[0x200002205af90600]
/usr/bin/empty[0x4000000000003fd0]
/lib/libc.so.6.1(__libc_start_main+0x3dc48)[0x200002205adf41b0]
/usr/bin/empty[0x4000000000002020]
======= Memory map: ========
00000000-00004000 r--p 00000000 00:00 0
200002205ad6c000-200002205ada8000 r-xp 00000000 08:02 16520 /lib/ld-2.9.so
200002205adb4000-200002205adbc000 rw-p 00038000 08:02 16520 /lib/ld-2.9.so
200002205adbc000-200002205adc0000 r-xp 00000000 08:02 16509 /lib/libutil-2.9.so
200002205adc0000-200002205adcc000 ---p 00004000 08:02 16509 /lib/libutil-2.9.so
200002205adcc000-200002205add0000 rw-p 00000000 08:02 16509 /lib/libutil-2.9.so
200002205add0000-200002205b024000 r-xp 00000000 08:02 16514 /lib/libc-2.9.so
200002205b024000-200002205b030000 ---p 00254000 08:02 16514 /lib/libc-2.9.so
200002205b030000-200002205b038000 rw-p 00250000 08:02 16514 /lib/libc-2.9.so
200002205b038000-200002205b04c000 rw-p 200002205b038000 00:00 0
200002205b04c000-200002205b060000 r-xp 00000000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
200002205b060000-200002205b06c000 ---p 00014000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
200002205b06c000-200002205b070000 rw-p 00010000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
200002205b070000-200002205b07c000 r-xp 00000000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
200002205b07c000-200002205b088000 ---p 0000c000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
200002205b088000-200002205b08c000 rw-p 00008000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
200002205b08c000-200002205b0a4000 rw-p 200002205b08c000 00:00 0
4000000000000000-4000000000008000 r-xp 00000000 fe:01 82332 /usr/bin/empty
6000000000004000-6000000000008000 rw-p 00004000 fe:01 82332 /usr/bin/empty
6000000000008000-600000000005c000 rw-p 6000000000008000 00:00 0 [heap]
600003caaa4d4000-600003caaa4d8000 rw-p 600003caaa4d4000 00:00 0 [stack]
60000bcaaa480000-60000bcaaa4d4000 rw-p 60000ffffffa8000 00:00 0 [stack]
a000000000000000-a000000000020000 r-xp 00000000 00:00 0 [vdso]
*** buffer overflow detected ***: /usr/bin/empty terminated
======= Backtrace: =========
/lib/libc.so.6.1(__fortify_fail+0x1ddcd8)[0x20000740af794210]
/lib/libc.so.6.1(__chk_fail+0x1d9688)[0x20000740af78fbd0]
/lib/libc.so.6.1(__read_chk+0x1da0a8)[0x20000740af790600]
/usr/bin/empty[0x4000000000003fd0]
/lib/libc.so.6.1(__libc_start_main+0x3dc48)[0x20000740af5f41b0]
/usr/bin/empty[0x4000000000002020]
======= Memory map: ========
00000000-00004000 r--p 00000000 00:00 0
20000740af56c000-20000740af5a8000 r-xp 00000000 08:02 16520 /lib/ld-2.9.so
20000740af5b4000-20000740af5bc000 rw-p 00038000 08:02 16520 /lib/ld-2.9.so
20000740af5bc000-20000740af5c0000 r-xp 00000000 08:02 16509 /lib/libutil-2.9.so
20000740af5c0000-20000740af5cc000 ---p 00004000 08:02 16509 /lib/libutil-2.9.so
20000740af5cc000-20000740af5d0000 rw-p 00000000 08:02 16509 /lib/libutil-2.9.so
20000740af5d0000-20000740af824000 r-xp 00000000 08:02 16514 /lib/libc-2.9.so
20000740af824000-20000740af830000 ---p 00254000 08:02 16514 /lib/libc-2.9.so
20000740af830000-20000740af838000 rw-p 00250000 08:02 16514 /lib/libc-2.9.so
20000740af838000-20000740af84c000 rw-p 20000740af838000 00:00 0
20000740af84c000-20000740af860000 r-xp 00000000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
20000740af860000-20000740af86c000 ---p 00014000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
20000740af86c000-20000740af870000 rw-p 00010000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
20000740af870000-20000740af87c000 r-xp 00000000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
20000740af87c000-20000740af888000 ---p 0000c000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
20000740af888000-20000740af88c000 rw-p 00008000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
20000740af88c000-20000740af8a4000 rw-p 20000740af88c000 00:00 0
4000000000000000-4000000000008000 r-xp 00000000 fe:01 82332 /usr/bin/empty
6000000000004000-6000000000008000 rw-p 00004000 fe:01 82332 /usr/bin/empty
6000000000008000-6000000000048000 rw-p 6000000000008000 00:00 0 [heap]
600006bad5540000-600006bad5544000 rw-p 600006bad5540000 00:00 0 [stack]
60000ebad54e8000-60000ebad553c000 rw-p 60000ffffffa8000 00:00 0 [stack]
a000000000000000-a000000000020000 r-xp 00000000 00:00 0 [vdso]
*** buffer overflow detected ***: /usr/bin/empty terminated
======= Backtrace: =========
/lib/libc.so.6.1(__fortify_fail+0x1ddcd8)[0x20000651d4304210]
/lib/libc.so.6.1(__chk_fail+0x1d9688)[0x20000651d42ffbd0]
/lib/libc.so.6.1(__read_chk+0x1da0a8)[0x20000651d4300600]
/usr/bin/empty[0x4000000000003fd0]
/lib/libc.so.6.1(__libc_start_main+0x3dc48)[0x20000651d41641b0]
/usr/bin/empty[0x4000000000002020]
======= Memory map: ========
00000000-00004000 r--p 00000000 00:00 0
20000651d40dc000-20000651d4118000 r-xp 00000000 08:02 16520 /lib/ld-2.9.so
20000651d4124000-20000651d412c000 rw-p 00038000 08:02 16520 /lib/ld-2.9.so
20000651d412c000-20000651d4130000 r-xp 00000000 08:02 16509 /lib/libutil-2.9.so
20000651d4130000-20000651d413c000 ---p 00004000 08:02 16509 /lib/libutil-2.9.so
20000651d413c000-20000651d4140000 rw-p 00000000 08:02 16509 /lib/libutil-2.9.so
20000651d4140000-20000651d4394000 r-xp 00000000 08:02 16514 /lib/libc-2.9.so
20000651d4394000-20000651d43a0000 ---p 00254000 08:02 16514 /lib/libc-2.9.so
20000651d43a0000-20000651d43a8000 rw-p 00250000 08:02 16514 /lib/libc-2.9.so
20000651d43a8000-20000651d43bc000 rw-p 20000651d43a8000 00:00 0
20000651d43bc000-20000651d43d0000 r-xp 00000000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
20000651d43d0000-20000651d43dc000 ---p 00014000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
20000651d43dc000-20000651d43e0000 rw-p 00010000 fe:01 16924 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libgcc_s.so.1
20000651d43e0000-20000651d43ec000 r-xp 00000000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
20000651d43ec000-20000651d43f8000 ---p 0000c000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
20000651d43f8000-20000651d43fc000 rw-p 00008000 fe:01 17653 /usr/lib/gcc/ia64-unknown-linux-gnu/4.3.3/libunwind.so.7
20000651d43fc000-20000651d4414000 rw-p 20000651d43fc000 00:00 0
4000000000000000-4000000000008000 r-xp 00000000 fe:01 82332 /usr/bin/empty
6000000000004000-6000000000008000 rw-p 00004000 fe:01 82332 /usr/bin/empty
6000000000008000-600000000005c000 rw-p 6000000000008000 00:00 0 [heap]
60000408081e0000-60000408081e4000 rw-p 60000408081e0000 00:00 0 [stack]
60000c0808188000-60000c08081dc000 rw-p 60000ffffffa8000 00:00 0 [stack]
a000000000000000-a000000000020000 r-xp 00000000 00:00 0 [vdso]

Discussion

  • Dennis Schridde

    Dennis Schridde - 2009-12-19

    Making this public now, since it has not been fixed in 4 months.

     

  • mezantrop

    mezantrop - 2023-01-01
    • status: open --> closed
    • Group: --> v1.0 (example)
     

  • mezantrop

    mezantrop - 2023-01-01

    Don't think it's still applicable, anyway thank you very much and sorry for the silence.

     

Log in to post a comment.

MongoDB Logo MongoDB
Gen AI apps are built with MongoDB Atlas
Atlas offers built-in vector search and global availability across 125+ regions. Start building AI apps faster, all in one place.
Try Free →