Bug 1404291

Summary: vsftpd stack overflow on incorrect config file
Product: Red Hat Enterprise Linux 7 Reporter: Paulo Andrade <pandrade>
Component: vsftpdAssignee: Martin Sehnoutka <msehnout>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: sbroz
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-15 08:51:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Paulo Andrade 2016-12-13 14:49:37 UTC 
Backtrace looks like:

#0  0x00007fa18db538f1 in __openat_nocancel (mode=<optimized out>, oflag=-128, 
    file=0x3 <Address 0x3 out of bounds>, fd=0)
    at ../sysdeps/unix/sysv/linux/openat.c:94
#1  __GI___openat (fd=0, file=0x3 <Address 0x3 out of bounds>, 
    oflag=<optimized out>) at ../sysdeps/unix/sysv/linux/openat.c:170
#2  0x00007fa18f0f9023 in vsf_sysutil_activate_noblock (fd=-902463408, 
    fd@entry=0) at sysutil.c:766
#3  0x00007fa18f0e874b in bug (p_text=p_text@entry=0x7fa18f1013d4 "fcntl")
    at utility.c:44
#4  0x00007fa18f0e8799 in die (p_text=p_text@entry=0x7fa18f1013d4 "fcntl")
    at utility.c:19
#5  0x00007fa18f0f9070 in vsf_sysutil_activate_noblock (fd=fd@entry=0)
    at sysutil.c:769
#6  0x00007fa18f0e874b in bug (p_text=p_text@entry=0x7fa18f1013d4 "fcntl")
    at utility.c:44
#7  0x00007fa18f0e8799 in die (p_text=p_text@entry=0x7fa18f1013d4 "fcntl")
    at utility.c:19
#8  0x00007fa18f0f9070 in vsf_sysutil_activate_noblock (fd=fd@entry=0)
    at sysutil.c:769
...

basically, it enters an infinite recursion where
vsf_sysutil_activate_noblock() calls die() that calls
bug() that calls vsf_sysutil_activate_noblock().

  Reproducer and possible patch listed at:
https://lists.freebsd.org/pipermail/freebsd-ports-bugs/2005-October/068040.html
Comment 2 Martin Sehnoutka 2016-12-15 08:51:39 UTC 
Hi,

Thank you for you report, did you really try it with our version vsftpd package? 

From my point of view our version of vsftpd is slightly modified and this bug does not work for it.
Comment 3 Paulo Andrade 2016-12-15 14:05:02 UTC 
  I am uncertain how the customer managed to generated the
coredump using vsftpd-3.0.2-11.el7_2.x86_64.

  The issue can be reproduced with:

---8<---
# echo "a'/." >> /etc/vsftpd/vsftpd.conf

$ cat fcntl.c
#include <stdio.h>
#include <string.h>
#include <dlfcn.h>
#include <sys/types.h>

/* Function pointers to hold the value of the glibc functions */
static  int (*real_fcntl)(int fd, int cmd, ...) = NULL;

int fcntl(int fd, int cmd, ...)
{
    if (real_fcntl == NULL)
        real_fcntl = dlsym(RTLD_NEXT, "write");
    if (fd == 0)
	return -1;
    return real_fcntl(fd, cmd);
}

$ gcc -D_GNU_SOURCE=1 -o fcntl.so -shared -fPIC fcntl.c -ldl
$ LD_PRELOAD=$PWD/fcntl.so vsftpd 
---8<---
Comment 4 Stepan Broz 2019-09-20 09:51:15 UTC 

*** This bug has been marked as a duplicate of bug 1666380 ***