Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2146585 - buffer overflow in globus_list_cmp_alias_ent
Summary: buffer overflow in globus_list_cmp_alias_ent
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: globus-gridftp-server
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mattias Ellert
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-11-23 17:55 UTC by Siddhesh Poyarekar
Modified: 2022-12-07 03:38 UTC (History)
1 user (show)

Fixed In Version: globus-gridftp-server-13.24-3.fc37 globus-gridftp-server-13.24-3.fc36 globus-gridftp-server-13.24-3.fc35 globus-gridftp-server-13.24-3.el8 globus-gridftp-server-13.24-3.el9 globus-gridftp-server-13.24-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-12-07 01:34:41 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Siddhesh Poyarekar 2022-11-23 17:55:53 UTC
Description of problem:
Building globus-gridftp-server with _FORTIFY_SOURCE=3 exposes a problem in globus_list_cmp_alias_ent where it calls strcpy with the destination being smaller than the required size.

Version-Release number of selected component (if applicable):
globus-gridftp-server-13.24-2.fc37

How reproducible:
Always

Steps to Reproduce:
1. dnf copr enable siddhesh/fortify-source-3
2. Build globus-gridftp-server package using rpmbuild

Actual results:

FAIL: cmp_alias_ent_test                                                                                                                                                                                           
========================                                                                                                                                                                                           
                                                                                                                                                                                                                   
*** buffer overflow detected ***: terminated                                                             

Expected results:

No failure.

Additional info:

It looks like a buffer overflow in strcpy in globus_list_cmp_alias_ent.  Here's the backtrace:

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44                                                                                      
#1  0x00007f8899908373 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78                                                                                                         
#2  0x00007f88998b6056 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26                                                                                                                              
#3  0x00007f889989f87c in __GI_abort () at abort.c:79                                                                                                                                                              
#4  0x00007f88998a05b3 in __libc_message (fmt=fmt@entry=0x7f8899a153ed "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150                                                                            
#5  0x00007f8899997c5b in __GI___fortify_fail (msg=msg@entry=0x7f8899a15393 "buffer overflow detected") at fortify_fail.c:24                                                                                       
#6  0x00007f8899996486 in __GI___chk_fail () at chk_fail.c:28                                                                                                                                                      
#7  0x00007f8899995d06 in __strcpy_chk (dest=dest@entry=0x7ffc9e0c2070 "", src=0x55df812ca020 "hell[o]", destlen=destlen@entry=6) at strcpy_chk.c:30                                                               
#8  0x00007f8899a90230 in strcpy (__src=<optimized out>, __dest=<optimized out>, __dest=<optimized out>, __src=<optimized out>) at /usr/include/bits/string_fortified.h:79                                         
#9  globus_list_cmp_alias_ent (a=a@entry=0x7ffc9e0c2140, b=b@entry=0x7ffc9e0c21b0, arg=arg@entry=0x0) at /root/rpmbuild/BUILD/globus_gridftp_server-13.24/globus_i_gfs_data.c:3051                                 
#10 0x000055df812c92d1 in main () at /root/rpmbuild/BUILD/globus_gridftp_server-13.24/test/cmp_alias_ent_test.c:115                                                                                                

The offending code is in globus_list_cmp_alias_ent:

3051        strcpy(b_tmp, b_ent->alias ? b_ent->alias : "");

As seen in frame #7, the source string is 7 bytes, thus needing 8 bytes to accommodate.  The destination (i.e. b_tmp) however only has 6 bytes due to:

(gdb) list globus_list_cmp_alias_ent
...
3045        char                                b_tmp[b_ent->alias_len+1];
...
(gdb) p b_ent->alias_len
$1 = 5

Comment 1 Fedora Update System 2022-11-28 08:01:07 UTC
FEDORA-EPEL-2022-878b3e2880 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-878b3e2880

Comment 2 Fedora Update System 2022-11-28 08:01:09 UTC
FEDORA-2022-bcd00d4a3e has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bcd00d4a3e

Comment 3 Fedora Update System 2022-11-28 08:01:10 UTC
FEDORA-2022-df7b42ebed has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-df7b42ebed

Comment 4 Fedora Update System 2022-11-28 08:01:12 UTC
FEDORA-EPEL-2022-3c6c0a8982 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-3c6c0a8982

Comment 5 Fedora Update System 2022-11-28 08:01:13 UTC
FEDORA-EPEL-2022-ef60569e1c has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-ef60569e1c

Comment 6 Fedora Update System 2022-11-29 02:20:25 UTC
FEDORA-2022-bcd00d4a3e has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-bcd00d4a3e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bcd00d4a3e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2022-11-29 02:30:59 UTC
FEDORA-2022-937753109c has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-937753109c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-937753109c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2022-11-29 02:31:07 UTC
FEDORA-2022-df7b42ebed has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-df7b42ebed`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-df7b42ebed

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2022-11-29 02:44:57 UTC
FEDORA-EPEL-2022-3c6c0a8982 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-3c6c0a8982

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2022-11-29 02:46:42 UTC
FEDORA-EPEL-2022-878b3e2880 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-878b3e2880

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2022-11-29 02:51:42 UTC
FEDORA-EPEL-2022-ef60569e1c has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-ef60569e1c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2022-12-07 01:34:41 UTC
FEDORA-2022-937753109c has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Fedora Update System 2022-12-07 01:42:22 UTC
FEDORA-2022-bcd00d4a3e has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 Fedora Update System 2022-12-07 01:42:44 UTC
FEDORA-2022-df7b42ebed has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Fedora Update System 2022-12-07 03:14:57 UTC
FEDORA-EPEL-2022-3c6c0a8982 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Fedora Update System 2022-12-07 03:15:21 UTC
FEDORA-EPEL-2022-878b3e2880 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 17 Fedora Update System 2022-12-07 03:38:17 UTC
FEDORA-EPEL-2022-ef60569e1c has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.