Menu

#48 ifconfig buffer overflow (net-tools 3.14-alpha)

BETA-1.65-UPSTREAM
open
nobody
None
5
2024-09-01
2024-08-28
Bernard Pidoux
No

Installing AX25 on Ubuntu created ax0 and rose0 devices.

IP address says :
8: ax0: <broadcast,up,lower_up> mtu 253 qdisc pfifo_fast state UNKNOWN group default qlen 10
link/ax25 F6BVP-12 brd QST-0 permaddr LINUX-1
9: rose0: <noarp,up,lower_up> mtu 251 qdisc noqueue state UNKNOWN group default qlen 1000
link/rose 2080835201 brd 0000000000</noarp,up,lower_up></broadcast,up,lower_up>

./ipmaddr says :
....
8: ax0
inet 224.0.0.1
9: rose0
inet 224.0.0.1

ifconfig rose0 says :
./ifconfig rose0
rose0: flags=193<up,running,noarp> mtu 251
rose 2080835201 txqueuelen 1000 (AMPR ROSE)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,running,noarp>

However ifconfig ax0 reports :
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated
Abandon (core dumped)</up,broadcast,running>

Downloaded sourceforge
./ifconfig --version
net-tools 3.14-alpha

Make with -ggdb2 and runing gdb ifconfig rose0 or ax0
(gdb) run
Starting program: /home/bernard/Téléchargements/net-tools-code-20a78e06a69bd9b6b4e15468201d5d3aa9c395db/ifconfig
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ax0: flags=67<up,broadcast,running> mtu 253
*** buffer overflow detected ***: terminated</up,broadcast,running>

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out="">) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: Aucun fichier ou dossier de ce nom
(gdb) </optimized>

What can be done to go further and find source of buffer overflow ?

Bernard, f6bvp

Discussion

  • Bernard Pidoux

    Bernard Pidoux - 2024-08-28

    Where :

    (gdb) where
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff7c4526e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff7c288ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff7c297b6 in __libc_message_impl (fmt=fmt@entry=0x7ffff7dce765 "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:132
#6  0x00007ffff7d36c19 in __GI___fortify_fail (msg=msg@entry=0x7ffff7dce74c "buffer overflow detected")
    at ./debug/fortify_fail.c:24
#7  0x00007ffff7d365d4 in __GI___chk_fail () at ./debug/chk_fail.c:28
#8  0x00007ffff7c889f0 in __vsprintf_internal (string=<optimized out>, maxlen=<optimized out>, 
    format=<optimized out>, args=args@entry=0x7fffffffde30, mode_flags=mode_flags@entry=6)
    at ./libio/iovsprintf.c:67
#9  0x00007ffff7d37e6f in ___sprintf_chk (s=<optimized out>, flag=flag@entry=2, slen=<optimized out>, 
    format=format@entry=0x55555555ff67 "-%d") at ./debug/sprintf_chk.c:40
#10 0x000055555555a172 in sprintf (__fmt=0x55555555ff67 "-%d", __s=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/stdio2.h:30
#11 AX25_print (ptr=<optimized out>) at ax25.c:63
#12 0x000055555555bfd4 in ife_print_long (ptr=0x5555555673c0) at interface.c:869
#13 0x000055555555c73d in ife_print (i=0x5555555673c0) at interface.c:953
#14 do_if_print (ife=0x5555555673c0, cookie=0x5555555635c8 <opt_a>) at interface.c:590
#15 0x000055555555b720 in for_all_interfaces (doit=0x55555555c6f0 <do_if_print>, 
    cookie=cookie@entry=0x5555555635c8 <opt_a>) at interface.c:145
#16 0x0000555555557b41 in if_print (ifname=0x0) at ifconfig.c:108
#17 main (argc=<optimized out>, argv=0x7fffffffe350) at ifconfig.c:327
(gdb)
     

    Last edit: Mike Frysinger 2024-09-01

  • Bernd Eckenfels

    Bernd Eckenfels - 2024-08-28

    looks like the snprintf in ax should be easy tonfund with your contributed info, 2ill let you know.

    is that some malicious host or just regilsr enabled kernel? has it aftually such hardware? maybe you can share the related proc files, meanwhile?

    thanks ait for reporting!

     

    Last edit: Bernd Eckenfels 2024-08-28

  • Bernard Pidoux

    Bernard Pidoux - 2024-08-28

    Correction : gdb --args ./ifconfig rose0 is OK!
    (gdb) run
    Starting program: /home/bernard/Téléchargements/net-tools-code-20a78e06a69bd9b6b4e15468201d5d3aa9c395db/ifconfig rose0
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    rose0: flags=193<up,running,noarp> mtu 251
    rose 2080835201 txqueuelen 1000 (AMPR ROSE)
    RX packets 0 bytes 0 (0.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 0 bytes 0 (0.0 B)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,running,noarp>

    [Inferior 1 (process 48135) exited normally]
    (gdb)

     

  • Bernard Pidoux

    Bernard Pidoux - 2024-08-28

    Removing -O2 in makefile solved the bug. I don't see why.
    ./ifconfig ax0
    ax0: flags=67<up,broadcast,running> mtu 253
    ax25 F6BVP-12 txqueuelen 10 (AMPR AX.25)
    RX packets 23 bytes 529 (529.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 425 bytes 7868 (7.6 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>

     

  • f4klo

    f4klo - 2024-08-29

    Hi,
    In bug submission it is recommanded to provide application version.
    This is what is shown when command line - -version is :

    ./ifconfig --version
    net-tools 3.14-alpha

     

    Last edit: Mike Frysinger 2024-09-01

  • Bernard Pidoux

    Bernard Pidoux - 2024-08-30

    Bug solved !

    Increasing buff[] size by one solved the issue
    while keeping -O2 optimize compile option that is probably over optimizing strlen !

    Here is diff file :

    --- a/lib/ax25.c    2023-06-29 11:16:10.000000000 +0200
+++ b/lib/ax25.c    2024-08-30 12:40:37.989684153 +0200
@@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;

 static const char *AX25_print(const char *ptr)
 {
-    static char buff[8];
+    static char buff[9];
     int i;

     for (i = 0; i < 6; i++) {

    By the way :

    Linux Ubuntu-2404 6.8.0-41-generic #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 20:41:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

    gcc version 13.2.0 (Ubuntu 13.2.0-23ubuntu4)

    Regards,

    Bernard, f6bvp / ai7bg

     

    Last edit: Mike Frysinger 2024-09-01

  • Bernard Pidoux

    Bernard Pidoux - 2024-08-31

    Proof :

    bernard@Ubuntu-2404:~$ ifconfig ax0
    ax0: flags=67<up,broadcast,running> mtu 253
    ax25 F6BVP-12 txqueuelen 10 (AMPR AX.25)
    RX packets 379 bytes 14816 (14.4 KiB)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 13999 bytes 991325 (968.0 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>

     

  • Bernard Pidoux

    Bernard Pidoux - 2024-08-31

    bernard@Ubuntu-2404:~$ ifconfig --version
    net-tools 3.14-alpha
    bernard@Ubuntu-2404:~$

     

  • Mike Frysinger

    Mike Frysinger - 2024-09-01

    increasing buffer to 9 bytes is insufficient. the sprintf call can write up to 10 bytes.
    i = ((ptr[6] & 0x1E) >> 1); can be 2 digits which means the sprintf will write 4 bytes and since it always does it at offset 6, we need 10.

    would be good to simplify the sprintf code a little too while at it.

    -   sprintf(&buff[strlen(buff)], "-%d", i);
+   sprintf(buff + 6, "-%d", i);
     

  • Bernard Pidoux

    Bernard Pidoux - 2024-09-01

    Mike,
    I patched ax25.c and it compiles and works perfectly.
    Thanks a lot for your suggestions. I learned something !

    ./ifconfig ax0
    ax0: flags=67<up,broadcast,running> mtu 253
    ax25 F6BVP txqueuelen 10 (AMPR AX.25)
    RX packets 13 bytes 285 (285.0 B)
    RX errors 0 dropped 0 overruns 0 frame 0
    TX packets 100 bytes 3246 (3.1 KiB)
    TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,broadcast,running>

     

  • Bernard Pidoux

    Bernard Pidoux - 2024-09-01

    diff -pruN a/lib/ax25.c b/lib/ax25.c
    --- a/lib/ax25.c 2023-06-29 11:16:10.000000000 +0200
    +++ b/lib/ax25.c 2024-09-01 17:23:33.411623086 +0200
    @@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;

    static const char AX25_print(const char ptr)
    {
    - static char buff[8];
    + static char buff[10];
    int i;

     for (i = 0; i < 6; i++) {

    @@ -60,7 +60,7 @@ static const char *AX25_print(const char
    buff[6] = '\0';
    i = ((ptr[6] & 0x1E) >> 1);
    if (i != 0)
    - sprintf(&buff[strlen(buff)], "-%d", i);
    + sprintf(buff + 6, "-%d", i);
    return (buff);
    }

     

  • Bernd Eckenfels

    Bernd Eckenfels - 2024-09-01

    i dont think it works without strlen the first part can be up to 6, in the example from Bernard it is only 5. we could exit the loop and use i instead of strlen, though.

     

  • Mike Frysinger

    Mike Frysinger - 2024-09-01

    thanks, i thought the loop always wrote out 6 bytes followed by the NUL, but didn't read it closely enough.

     

  • Bernard Pidoux

    Bernard Pidoux - 2024-09-01

    I agree that strlen(buff) is needed.
    However AX25_print() must return a char *
    In print function i = ptr[6] is used to get the callsign SSID value that can take from 0 to 15.
    Thus callsign have a variable length and IMHO strlen(buff) seems more correct and should be kept.

    --- a/lib/ax25.c 2023-06-29 11:16:10.000000000 +0200
    +++ b/lib/ax25.c 2024-09-02 00:22:10.909106399 +0200
    @@ -49,7 +49,7 @@ extern struct aftype ax25_aftype;

    static const char AX25_print(const char ptr)
    {
    - static char buff[8];
    + static char buff[10];
    int i;

     for (i = 0; i < 6; i++) {
     

Log in to post a comment.