Bug 418481

Summary: mcrypt 2.6.6-2 / libmcrypt 2.5.8-4 crash with buffer overflow when encrypting
Product: [Fedora] Fedora Reporter: Olin Shivers <olin.redhat.7ia>
Component: mcryptAssignee: Tom "spot" Callaway <tcallawa>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 8CC: jws, olin.redhat.7ia
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.7-1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-03 01:41:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Olin Shivers 2007-12-10 17:32:41 UTC 
Description of problem:
-----------------------
I am running a fresh Fedora 8 install on an IBM ThinkPad X31. I have
the latest yum-installed updates. Uname says of my system:
    2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 i686 i386 GNU/Linux

The bug: I cannot get mcrypt to encrypt. It will *decrypt*, but
it crashes on encryption, reporting a buffer overflow. I have
selinux running in permissive/warning mode, so it should not be
messing with things, by the way.

Encryption is pretty basic to administering a machine, e.g. for backups
and so forth. So this seems like a pretty critical thing to go wrong.
It worked fine under my previous Fedora 7 install on the same machine.
(By the way, when I say "fresh Fedora 8 install" above, I mean
that I started with a new, blank disk drive and installed F8 onto
it, then tweaked the /etc files & copied a /home partition over
from an older drive.)

Given how basic encryption is, it is a little suspicious that this bug
doesn't already appear in the bugzilla base -- makes me wonder if there
is something particular about my system. I will be interested to see if
y'all can reproduce the bug on your own 386 systems.

Note that mcrypt works fine on my x86_64 ubuntu systems -- which
are providing the older mcrypt 2.6.4 and libmcrypt 2.5.7.


Version-Release number of selected component (if applicable):
-------------------------------------------------------------
mcrypt.i386 0:2.6.6-2.fc8
libmcrypt.i386 0:2.5.8-4.fc8


How reproducible:
-----------------
Easily reproducible with 100% reliability on my system. I do not have access
to other Fedora 8 systems on which to try it.  


Steps to Reproduce:
-------------------
1. Encrypt the string "foo" with key "bar" & throw away the result, with:
       echo foo | /usr/bin/mcrypt -k bar > /dev/null
2. Hopefully, observe crash shown below.

  
Actual results:
---------------
% echo foo | /usr/bin/mcrypt -k bar > /dev/null
Warning: It is insecure to specify keywords in the command line
*** buffer overflow detected ***: mcrypt terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0xd12b58]
/lib/libc.so.6[0xd11200]
mcrypt[0x8052130]
mcrypt[0x8053f33]
mcrypt[0x804dcab]
mcrypt[0x804c4f5]
/lib/libc.so.6(__libc_start_main+0xe0)[0xc3f390]
mcrypt[0x8049f71]
======= Memory map: ========
00110000-00111000 r-xp 00110000 00:00 0          [vdso]
00111000-0013c000 r-xp 00000000 08:06 1851066    /usr/lib/libmcrypt.so.4.4.8
0013c000-0013f000 rwxp 0002b000 08:06 1851066    /usr/lib/libmcrypt.so.4.4.8
0013f000-00144000 rwxp 0013f000 00:00 0 
00144000-0014e000 r-xp 00000000 08:06 2056428    /lib/libnss_files-2.7.so
0014e000-0014f000 r-xp 00009000 08:06 2056428    /lib/libnss_files-2.7.so
0014f000-00150000 rwxp 0000a000 08:06 2056428    /lib/libnss_files-2.7.so
0015e000-00179000 r-xp 00000000 08:06 2058814    /lib/ld-2.7.so
00179000-0017a000 r-xp 0001a000 08:06 2058814    /lib/ld-2.7.so
0017a000-0017b000 rwxp 0001b000 08:06 2058814    /lib/ld-2.7.so
001b2000-001f8000 r-xp 00000000 08:06 1852264    /usr/lib/libmhash.so.2.0.1
001f8000-001f9000 rwxp 00046000 08:06 1852264    /usr/lib/libmhash.so.2.0.1
00c29000-00d7c000 r-xp 00000000 08:06 2058815    /lib/libc-2.7.so
00d7c000-00d7e000 r-xp 00153000 08:06 2058815    /lib/libc-2.7.so
00d7e000-00d7f000 rwxp 00155000 08:06 2058815    /lib/libc-2.7.so
00d7f000-00d82000 rwxp 00d7f000 00:00 0 
00dd1000-00de3000 r-xp 00000000 08:06 2058818    /lib/libz.so.1.2.3
00de3000-00de4000 rwxp 00011000 08:06 2058818    /lib/libz.so.1.2.3
079a7000-079b2000 r-xp 00000000 08:06 2058841    /lib/libgcc_s-4.1.2-20070925.so.1
079b2000-079b3000 rwxp 0000a000 08:06 2058841    /lib/libgcc_s-4.1.2-20070925.so.1
08048000-0805b000 r-xp 00000000 08:06 1852600    /usr/bin/mcrypt
0805b000-0805c000 rw-p 00013000 08:06 1852600    /usr/bin/mcrypt
0805c000-08083000 rw-p 0805c000 00:00 0 
09141000-09162000 rw-p 09141000 00:00 0 
b7d2c000-b7f2c000 r--p 00000000 08:06 1845236    /usr/lib/locale/locale-archive
b7f2c000-b7f2d000 rw-p b7f2c000 00:00 0 
b7f41000-b7f43000 rw-p b7f41000 00:00 0 
bf991000-bf9a6000 rw-p bffea000 00:00 0          [stack]
Aborted
%


Expected results:
-----------------
According to my ubuntu system:

    % echo foo | /usr/bin/mcrypt -k bar > /dev/null
    Warning: It is insecure to specify keywords in the command line
    Stdin was encrypted.
    %
Comment 1 Olin Shivers 2007-12-15 15:34:45 UTC 
Rolling back to
    mcrypt-2.6.4-3.fc6
    libmcrypt-2.5.7-5.fc6
fixes the problem. (These are the versions currently used by Ubuntu.)
    -Olin
Comment 2 Tom "spot" Callaway 2007-12-17 11:58:28 UTC 
Perhaps, but rolling back to older versions is a bit of a copout. I've fixed the
overflow issue, and will be pushing packages to testing shortly.
Comment 3 Fedora Update System 2007-12-20 19:52:06 UTC 
mcrypt-2.6.7-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mcrypt'
Comment 4 Fedora Update System 2007-12-20 20:15:33 UTC 
mcrypt-2.6.7-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mcrypt'
Comment 5 Fedora Update System 2008-01-03 01:41:09 UTC 
mcrypt-2.6.7-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-01-03 01:41:41 UTC 
mcrypt-2.6.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Jeff Schultz 2008-02-01 06:11:40 UTC 
Well, problems persist for me.  It seems to be a performance problem more than
anything else.  Encrypting very small files works, though it seems to be slow,
but anything more than a few MB just sits there chewing CPU.

I have

mcrypt-2.6.7-1.fc8
libmcrypt-2.5.8-4.fc8
Comment 8 Jeff Schultz 2008-02-01 06:37:29 UTC 
Rebuilding mcrypt-2.6.4-3 from FC6 on my F8 box works.  Looks like something's
been broken since.
Comment 9 Tom "spot" Callaway 2008-02-19 20:26:33 UTC 
Jeff, if you can give me some sort of test case, please open a new bug for the
performance problems.