From: SourceForge.net <no...@so...> - 2005-01-09 18:01:35
|
Bugs item #1044321, was opened at 2004-10-11 03:58 Message generated for change (Comment added) made by richi You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=101627&aid=1044321&group_id=1627 Category: None Group: None Status: Closed Resolution: Invalid Priority: 5 Submitted By: John Richard Moser (bluefoxicy) Assigned to: Nobody/Anonymous (nobody) Summary: buffer overflow in gls_plugin_get() Initial Comment: In /var/log/syslog: Oct 10 23:53:54 icebox glame: stack smashing attack in function gls_plugin_get glame-1.0.2 on amd64 When a buffer is created on the stack, i.e. int foo() { char a[10]; // stack buffer } The IBM stack protector (fka ProPolice) places a guard value immediately after it. If this value is altered, the program aborts immediately. That's where this message is coming from. This indicates that something is overflowing a buffer in gls_plugin_get(). ---------------------------------------------------------------------- >Comment By: Richard Guenther (richi) Date: 2005-01-09 18:01 Message: Logged In: YES user_id=7575 The code in question looks like: static SCM gls_plugin_get(SCM s_name) { plugin_t *p; char *name; int namel; SCM_ASSERT(gh_string_p(s_name), s_name, SCM_ARG1, "plugin-get"); name = gh_scm2newstr(s_name, &namel); p = plugin_get(name); free(name); if (!p) GLAME_THROW(); return plugin2scm(p); } where you can see no buffer is created in this function other than maybe by the SCM_ASSERT macro, but that is from the guile library we don't have control over. If you have more detailled information _which_ buffer is overflown that may help tracking down the problem (if there is one). Note that the stack protector may be fooled by the guile garbage collector which may do weird things with the stack scanning for dead objects. ---------------------------------------------------------------------- Comment By: John Richard Moser (bluefoxicy) Date: 2005-01-09 17:39 Message: Logged In: YES user_id=696610 Explain what lead you to the conclusion that this is invalid? ---------------------------------------------------------------------- Comment By: Richard Guenther (richi) Date: 2005-01-09 14:56 Message: Logged In: YES user_id=7575 Invalid? Maybe. ---------------------------------------------------------------------- Comment By: John Richard Moser (bluefoxicy) Date: 2004-10-11 04:14 Message: Logged In: YES user_id=696610 "This indicates that something is overflowing a buffer in gls_plugin_get()." a buffer CREATED in gls_plugin_get() on the stack, as shown in the above pseudocode ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=101627&aid=1044321&group_id=1627 |