Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159196 - multiple memory management issues
Summary: multiple memory management issues
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: strace
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Roland McGrath
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-31 13:41 UTC by Dmitry V. Levin
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 4.5.12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-11 16:44:23 UTC


Attachments (Terms of Use)
strace-4.5.11-alt-mem-fixes.patch for cvs snapshot 20050526 (deleted)
2005-05-31 13:43 UTC, Dmitry V. Levin
no flags Details | Diff
xattr.c (deleted)
2005-05-31 13:52 UTC, Dmitry V. Levin
no flags Details
iov.c (deleted)
2005-05-31 14:00 UTC, Dmitry V. Levin
no flags Details
nodes.c (deleted)
2005-05-31 14:04 UTC, Dmitry V. Levin
no flags Details
msg.c (deleted)
2005-05-31 14:08 UTC, Dmitry V. Levin
no flags Details
msg2.c (deleted)
2005-05-31 14:10 UTC, Dmitry V. Levin
no flags Details
setgroups.c (deleted)
2005-05-31 14:13 UTC, Dmitry V. Levin
no flags Details
poll.c (deleted)
2005-05-31 14:17 UTC, Dmitry V. Levin
no flags Details
sysctl.c (deleted)
2005-05-31 14:21 UTC, Dmitry V. Levin
no flags Details

Description Dmitry V. Levin 2005-05-31 13:41:44 UTC
After your recent fixes for strace crashes, I reviewed strace for other memory management issues.  I found 8 bugs which could lead to easily reproduced crash, and 4 bugs which are unlikely to be triggered.  Still unclear, whether some of these overflows could lead to privilege escalation or not, so setting "security" tag in case they are not just crash bugs.

Comment 1 Dmitry V. Levin 2005-05-31 13:43:29 UTC
Created attachment 114990 [details]
strace-4.5.11-alt-mem-fixes.patch for cvs snapshot 20050526

Proposed fix.

Comment 2 Dmitry V. Levin 2005-05-31 13:52:13 UTC
Created attachment 114992 [details]
xattr.c

This program demonstrates crash in print_xattr_val().
Test with "strace -e trace=fsetxattr ./xattr".

Comment 3 Dmitry V. Levin 2005-05-31 14:00:28 UTC
Created attachment 114993 [details]
iov.c

This program demonstrates crash in tprint_iov().
Test with "strace -e trace=writev ./iov".

Comment 4 Dmitry V. Levin 2005-05-31 14:04:20 UTC
Created attachment 114994 [details]
nodes.c

This program demonstrates crash in get_nodes().
Test with "strace -e trace=get_mempolicy ./nodes".

Comment 5 Dmitry V. Levin 2005-05-31 14:08:47 UTC
Created attachment 114996 [details]
msg.c

This program demonstrates crash in printcmsghdr().
Test with "strace -e trace=sendmsg ./msg".

Comment 6 Dmitry V. Levin 2005-05-31 14:10:21 UTC
Created attachment 114997 [details]
msg2.c

This program demonstrates another crash in printcmsghdr().
Test with "strace -e trace=sendmsg ./msg2".

Comment 7 Dmitry V. Levin 2005-05-31 14:13:43 UTC
Created attachment 114998 [details]
setgroups.c

This program demonstrates crash in sys_setgroups32().
Test with "strace -e trace=setgroups32 ./setgroups".

Comment 8 Dmitry V. Levin 2005-05-31 14:17:16 UTC
Created attachment 114999 [details]
poll.c

This program demonstrates crash in sys_poll().
Test with "strace -e trace=poll ./poll".

Comment 9 Dmitry V. Levin 2005-05-31 14:21:04 UTC
Created attachment 115000 [details]
sysctl.c

This program demonstrates crash in sys_sysctl().
Test with "strace -e trace=_sysctl ./sysctl".

Comment 10 Dmitry V. Levin 2005-06-01 19:09:25 UTC
Well, it is not easy to use these bugs to get something more than instant crash.
Let's remove "security" tag then?

Comment 11 Roland McGrath 2005-06-01 19:20:56 UTC
Thanks for all those test cases, and the fixes!  I've put the patch in upstream.

I'll check with our security folks whether they think these problems need to be
treated as security issues.

Comment 12 Josh Bressers 2005-06-01 19:25:12 UTC
If there is no potential for arbitrary code execution, then I don't see any of
these as being security issues.

Comment 13 Alexander Peslyak 2005-06-01 19:26:09 UTC
I also do not think these are security bugs.  That's because the program being
traced is already granted the ability to execute arbitrary code/syscalls. 
strace is not a policy enforcement tool, and not even an interactive debugger
where one may single-step or the like not letting the program do nasty things.

But we need to get the bugs fixed indeed.

(Should the Summary read "multiple", not "multiply"?)

Comment 14 Dmitry V. Levin 2005-06-01 22:22:47 UTC
I know that strace is oftenly used by root user to trace various applications,
including less privileged ones.  These bugs allow applications to overwrite
arbitrary address of strace memory, but I found no way (yet?) how it can be used
to gain control over strace itself.  Ok, lets hope it is not possible.

Comment 15 Alexander Peslyak 2005-06-02 01:24:44 UTC
Oh, you're referring to strace's ability to attach to already-executing
processes, which may be _known_ to be _already_ running as non-root, correct? 
This is something I've overlooked when writing my previous comment.

OK, these may be security bugs, then.

Comment 16 Josh Bressers 2005-06-07 15:48:21 UTC
These fixes are in the upstream cvs, lifting embargo.

Comment 17 Dmitry V. Levin 2005-06-11 16:44:23 UTC
Fixed in strace-4.5.12.


Note You need to log in before you can comment on or make changes to this bug.