Re: v2.2.3 buffer overflow detected

[Mark Burgess]

Daryl,

I think I found this problem, although I was not able to reproduce it.
Patch in svn revision 526. If you would test this for me, I'd be grateful.

M

Daryl Grunau wrote:
> Ok, I took your suggestion to download the latest svn and run it.  I
> also installed the debuginfo package of this svn so more info would be
> shown on failure.  Following is output from the gdb trace:
> 
> Program received signal SIGABRT, Aborted.
> [Switching to Thread 4398046733888 (LWP 3480)]
> 0x0000008054683bb4 in .raise () from /lib64/libc.so.6
> (gdb) where
> #0  0x0000008054683bb4 in .raise () from /lib64/libc.so.6
> #1  0x0000008054685bac in .abort () from /lib64/libc.so.6
> #2  0x00000080546c2454 in .__libc_message () from /lib64/libc.so.6
> #3  0x000000805475b148 in .__fortify_fail () from /lib64/libc.so.6
> #4  0x0000008054758d14 in .__chk_fail () from /lib64/libc.so.6
> #5  0x0000008054757a10 in .__strcat_chk () from /lib64/libc.so.6
> #6  0x000000001008f8dc in Get2DListEnt (list=0x10220ca0) at
> /usr/include/bits/string3.h:145
> #7  0x000000001004c84c in AppendScript (
>     item=0x101dbaf0 "/bin/bash -c '/bin/rpm --quiet -q --root /vnfs/$0
> ${ww_image_common_rpms} && exit 1 || (/usr/bin/test -f
> /vnfs/$0/etc/yum.conf && /usr/bin/yum -y -t -d 0 --disablerepo=updates
> -c /vnfs/$0/etc/yum.conf"..., timeout=300, useshell=121 'y',
> uidname=0x101d4a80 "0",
>     gidname=0x101d5a90 "0") at install.c:3466
> #8  0x0000000010055afc in InstallPending (action=<value optimized
> out>) at install.c:2644
> #9  0x00000000100728a0 in yylex () at cflex.l:280
> #10 0x0000000010068f68 in yyparse () at y.tab.c:1409
> #11 0x0000000010034ff4 in ParseFile (
>     filename=0xfffffbca148 "/var/cfengine/inputs/generic/cf.setup_warewulf",
>     env=<value optimized out>, audit=1) at parse.c:1068
> #12 0x0000000010035e9c in ParseInputFile (file=0x1018c848
> "cfagent.conf", audit=1) at parse.c:100
> #13 0x00000000100097e8 in main (argc=2, argv=0x10093c88) at cfagent.c:200
> #14 0x000000805466b184 in .generic_start_main () from /lib64/libc.so.6
> #15 0x000000805466b39c in .__libc_start_main () from /lib64/libc.so.6
> #16 0x0000000000000000 in ?? ()
> 
> Thanks for any help!
> 
> Daryl
> 
> On 2/8/08, Mark Burgess <[EMAIL PROTECTED]> wrote:
>> Daryl - it is possibly due to a typo that was just detected and fixed.
>> If you are willing to try the latest svn version, it might fix the
>> problem.
>>
>> Mark
>>
>> Daryl Grunau wrote:
>>> Hi, I running this version of cfengine in FC8 and keep getting the
>>> following runtime error:
>>>
>>> [EMAIL PROTECTED] [1658] # cfagent -qxK
>>> *** buffer overflow detected ***: cfagent terminated
>>> ======= Backtrace: =========
>>> /lib64/libc.so.6(__fortify_fail-0x8da20)[0x805475b148]
>>> /lib64/libc.so.6(__chk_fail-0x8fb34)[0x8054758d14]
>>> /lib64/libc.so.6(__strcat_chk-0x90d48)[0x8054757a10]
>>> cfagent[0x1008e53c]
>>> cfagent[0x1004c39c]
>>> cfagent[0x1005571c]
>>> cfagent[0x100723f0]
>>> cfagent[0x10068ab8]
>>> cfagent[0x10034b44]
>>> cfagent[0x100359ec]
>>> cfagent[0x100097e8]
>>> /lib64/libc.so.6[0x805466b184]
>>> /lib64/libc.so.6(__libc_start_main-0x175924)[0x805466b39c]
>>> ======= Memory map: ========
>>> 00100000-00103000 r-xp 00100000 00:00 0                                  
>>> [vdso]
>>> 10000000-100c8000 r-xp 00000000 08:03 39455915
>>>   /usr/sbin/cfagent
>>> 100d7000-100ea000 rw-p 000c7000 08:03 39455915
>>>   /usr/sbin/cfagent
>>> 100ea000-10237000 rw-p 100ea000 00:00 0                                  
>>> [heap]
>>> 80545d0000-80545fc000 r-xp 00000000 08:03 21332054
>>>   /lib64/ld-2.7.so
>>> 805460f000-8054610000 r--p 0002f000 08:03 21332054
>>>   /lib64/ld-2.7.so
>>> 8054610000-8054613000 rw-p 00030000 08:03 21332054
>>>   /lib64/ld-2.7.so
>>> 8054620000-80547c4000 r-xp 00000000 08:03 21332043
>>>   /lib64/libc-2.7.so
>>> 80547c4000-80547dc000 ---p 001a4000 08:03 21332043
>>>   /lib64/libc-2.7.so
>>> 80547dc000-80547e0000 r--p 001ac000 08:03 21332043
>>>   /lib64/libc-2.7.so
>>> 80547e0000-80547f0000 rw-p 001b0000 08:03 21332043
>>>   /lib64/libc-2.7.so
>>> 80547f0000-80547f4000 rw-p 80547f0000 00:00 0
>>> 8054800000-80548bf000 r-xp 00000000 08:03 21332047
>>>   /lib64/libm-2.7.so
>>> 80548bf000-80548cf000 ---p 000bf000 08:03 21332047
>>>   /lib64/libm-2.7.so
>>> 80548cf000-80548d0000 r--p 000bf000 08:03 21332047
>>>   /lib64/libm-2.7.so
>>> 80548d0000-80548d9000 rw-p 000c0000 08:03 21332047
>>>   /lib64/libm-2.7.so
>>> 80548e0000-80548e4000 r-xp 00000000 08:03 21331977
>>>   /lib64/libdl-2.7.so
>>> 80548e4000-80548ff000 ---p 00004000 08:03 21331977
>>>   /lib64/libdl-2.7.so
>>> 80548ff000-8054900000 r--p 0000f000 08:03 21331977
>>>   /lib64/libdl-2.7.so
>>> 8054900000-8054901000 rw-p 00010000 08:03 21331977
>>>   /lib64/libdl-2.7.so
>>> 8054910000-805492e000 r-xp 00000000 08:03 21332049
>>>   /lib64/libpthread-2.7.so
>>> 805492e000-805493f000 ---p 0001e000 08:03 21332049
>>>   /lib64/libpthread-2.7.so
>>> 805493f000-8054940000 r--p 0001f000 08:03 21332049
>>>   /lib64/libpthread-2.7.so
>>> 8054940000-8054942000 rw-p 00020000 08:03 21332049
>>>   /lib64/libpthread-2.7.so
>>> 8054942000-8054946000 rw-p 8054942000 00:00 0
>>> 8054950000-8054969000 r-xp 00000000 08:03 21331983
>>>   /lib64/libz.so.1.2.3
>>> 8054969000-8054978000 ---p 00019000 08:03 21331983
>>>   /lib64/libz.so.1.2.3
>>> 8054978000-805497a000 rw-p 00018000 08:03 21331983
>>>   /lib64/libz.so.1.2.3
>>> 8054e70000-8054e87000 r-xp 00000000 08:03 21331987
>>>   /lib64/libresolv-2.7.so
>>> 8054e87000-8054e9f000 ---p 00017000 08:03 21331987
>>>   /lib64/libresolv-2.7.so
>>> 8054e9f000-8054ea0000 r--p 0001f000 08:03 21331987
>>>   /lib64/libresolv-2.7.so
>>> 8054ea0000-8054ea2000 rw-p 00020000 08:03 21331987
>>>   /lib64/libresolv-2.7.so
>>> 8054ea2000-8054ea4000 rw-p 8054ea2000 00:00 0
>>> 8055010000-805501b000 r-xp 00000000 08:03 21332044
>>>   /lib64/librt-2.7.so
>>> 805501b000-805502f000 ---p 0000b000 08:03 21332044
>>>   /lib64/librt-2.7.so
>>> 805502f000-8055030000 r--p 0000f000 08:03 21332044
>>>   /lib64/librt-2.7.so
>>> 8055030000-8055031000 rw-p 00010000 08:03 21332044
>>>   /lib64/librt-2.7.so
>>> 8055031000-8055032000 rw-p 8055031000 00:00 0
>>> 8056500000-80566ae000 r-xp 00000000 08:03 21332077
>>>   /lib64/libcrypto.so.0.9.8b
>>> 80566ae000-80566b0000 ---p 001ae000 08:03 21332077
>>>   /lib64/libcrypto.so.0.9.8b
>>> 80566b0000-80566e0000 rw-p 001b0000 08:03 21332077
>>>   /lib64/libcrypto.so.0.9.8b
>>> 80566e0000-80566e4000 rw-p 80566e0000 00:00 0
>>> 80566f0000-805670f000 r-xp 00000000 08:03 21332052
>>>   /lib64/libnsl-2.7.so
>>> 805670f000-805671f000 ---p 0001f000 08:03 21332052
>>>   /lib64/libnsl-2.7.so
>>> 805671f000-8056720000 r--p 0001f000 08:03 21332052
>>>   /lib64/libnsl-2.7.so
>>> 8056720000-8056722000 rw-p 00020000 08:03 21332052
>>>   /lib64/libnsl-2.7.so
>>> 8056722000-8056725000 rw-p 8056722000 00:00 0
>>> 80681f0000-806838d000 r-xp 00000000 08:03 21332100
>>>   /lib64/libdb-4.6.so
>>> 806838d000-8068390000 ---p 0019d000 08:03 21332100
>>>   /lib64/libdb-4.6.so
>>> 8068390000-80683a8000 rw-p 001a0000 08:03 21332100
>>>   /lib64/libdb-4.6.so
>>> 80683b0000-80683be000 r-xp 00000000 08:03 21331993
>>>   /lib64/libnss_nis-2.7.so
>>> 80683be000-80683cf000 ---p 0000e000 08:03 21331993
>>>   /lib64/libnss_nis-2.7.so
>>> 80683cf000-80683d0000 r--p 0000f000 08:03 21331993
>>>   /lib64/libnss_nis-2.7.so
>>> 80683d0000-80683d1000 rw-p 00010000 08:03 21331993
>>>   /lib64/libnss_nis-2.7.so
>>> 80683e0000-80683ef000 r-xp 00000000 08:03 21332061
>>>   /lib64/libnss_files-2.7.so
>>> 80683ef000-80683ff000 ---p 0000f000 08:03 21332061
>>>   /lib64/libnss_files-2.7.so
>>> 80683ff000-8068400000 r--p 0000f000 08:03 21332061
>>>   /lib64/libnss_files-2.7.so
>>> 8068400000-8068401000 rw-p 00010000 08:03 21332061
>>>   /lib64/libnss_files-2.7.so
>>> 8068401000-8068402000 rw-p 8068401000 00:00 0
>>> 40000000000-40000002000 rw-p 40000000000 00:00 0
>>> 40000032000-40000038000 rw-p 40000032000 00:00 0
>>> 40000038000-4000003d000 r-xp 00000000 08:03 21331991
>>>   /lib64/libnss_dns-2.7.so
>>> 4000003d000-40000057000 ---p 00005000 08:03 21331991
>>>   /lib64/libnss_dns-2.7.so
>>> 40000057000-40000058000 r--p 0000f000 08:03 21331991
>>>   /lib64/libnss_dns-2.7.so
>>> 40000058000-40000059000 rw-p 00010000 08:03 21331991
>>>   /lib64/libnss_dns-2.7.so
>>> fffff98d000-fffff9e5000 rw-p ffffffa8000 00:00 0                         
>>> [stack]
>>> Aborted
>>>
>>>
>>> I narrowed down the problem to the following offending rule:
>>>
>>> shellcommands:
>>>    WarewulfServer::
>>>       "/bin/bash -c '/usr/bin/yum -c /tmp/$0/etc/yum.conf
>>> --installroot /tmp/$0 install ${rpms})' $(ww_image)"
>>>
>>> Here ${rpms} is simply a rather long string of RPM names, space
>>> delimited (i.e. not an iterator).  The variable $(ww_image) is
>>> intended to be an iterator (colon delimited) but currently only has 1
>>> element, e.g. "f8_ppc".  Any help getting to the bottom of this
>>> problem would be greatly appreciated!
>>>
>>> Daryl
>>>
>>> P.s. I tried the same cfengine input deck under v 2.1.14 and 2.1.22
>>> with the same result.  I found this URL speaking to the automatic
>>> buffer overflow checking in newer versions of GCC/glibc:
>>>
>>>    http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
>>> _______________________________________________
>>> Bug-cfengine mailing list
>>> Bug-cfengine@cfengine.org
>>> https://cfengine.org/mailman/listinfo/bug-cfengine
>> --
>>
>>
>> Mark Burgess
>>
>> Web: http://www.iu.hio.no/~mark
>> Tlf: +47 22453272
>>

-- 


Mark Burgess

Web: http://www.iu.hio.no/~mark
Tlf: +47 22453272
_______________________________________________
Bug-cfengine mailing list
Bug-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/bug-cfengine