Bug 2146585
| Summary: | buffer overflow in globus_list_cmp_alias_ent | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Siddhesh Poyarekar <sipoyare> |
| Component: | globus-gridftp-server | Assignee: | Mattias Ellert <mattias.ellert> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | mattias.ellert |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | globus-gridftp-server-13.24-3.fc37 globus-gridftp-server-13.24-3.fc36 globus-gridftp-server-13.24-3.fc35 globus-gridftp-server-13.24-3.el8 globus-gridftp-server-13.24-3.el9 globus-gridftp-server-13.24-3.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-07 01:34:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FEDORA-EPEL-2022-878b3e2880 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-878b3e2880 FEDORA-2022-bcd00d4a3e has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-bcd00d4a3e FEDORA-2022-df7b42ebed has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-df7b42ebed FEDORA-EPEL-2022-3c6c0a8982 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-3c6c0a8982 FEDORA-EPEL-2022-ef60569e1c has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-ef60569e1c FEDORA-2022-bcd00d4a3e has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-bcd00d4a3e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-bcd00d4a3e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-937753109c has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-937753109c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-937753109c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-df7b42ebed has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-df7b42ebed` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-df7b42ebed See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2022-3c6c0a8982 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-3c6c0a8982 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2022-878b3e2880 has been pushed to the Fedora EPEL 9 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-878b3e2880 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-EPEL-2022-ef60569e1c has been pushed to the Fedora EPEL 7 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-ef60569e1c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-937753109c has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2022-bcd00d4a3e has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2022-df7b42ebed has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2022-3c6c0a8982 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2022-878b3e2880 has been pushed to the Fedora EPEL 9 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-EPEL-2022-ef60569e1c has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: Building globus-gridftp-server with _FORTIFY_SOURCE=3 exposes a problem in globus_list_cmp_alias_ent where it calls strcpy with the destination being smaller than the required size. Version-Release number of selected component (if applicable): globus-gridftp-server-13.24-2.fc37 How reproducible: Always Steps to Reproduce: 1. dnf copr enable siddhesh/fortify-source-3 2. Build globus-gridftp-server package using rpmbuild Actual results: FAIL: cmp_alias_ent_test ======================== *** buffer overflow detected ***: terminated Expected results: No failure. Additional info: It looks like a buffer overflow in strcpy in globus_list_cmp_alias_ent. Here's the backtrace: #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f8899908373 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007f88998b6056 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f889989f87c in __GI_abort () at abort.c:79 #4 0x00007f88998a05b3 in __libc_message (fmt=fmt@entry=0x7f8899a153ed "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:150 #5 0x00007f8899997c5b in __GI___fortify_fail (msg=msg@entry=0x7f8899a15393 "buffer overflow detected") at fortify_fail.c:24 #6 0x00007f8899996486 in __GI___chk_fail () at chk_fail.c:28 #7 0x00007f8899995d06 in __strcpy_chk (dest=dest@entry=0x7ffc9e0c2070 "", src=0x55df812ca020 "hell[o]", destlen=destlen@entry=6) at strcpy_chk.c:30 #8 0x00007f8899a90230 in strcpy (__src=<optimized out>, __dest=<optimized out>, __dest=<optimized out>, __src=<optimized out>) at /usr/include/bits/string_fortified.h:79 #9 globus_list_cmp_alias_ent (a=a@entry=0x7ffc9e0c2140, b=b@entry=0x7ffc9e0c21b0, arg=arg@entry=0x0) at /root/rpmbuild/BUILD/globus_gridftp_server-13.24/globus_i_gfs_data.c:3051 #10 0x000055df812c92d1 in main () at /root/rpmbuild/BUILD/globus_gridftp_server-13.24/test/cmp_alias_ent_test.c:115 The offending code is in globus_list_cmp_alias_ent: 3051 strcpy(b_tmp, b_ent->alias ? b_ent->alias : ""); As seen in frame #7, the source string is 7 bytes, thus needing 8 bytes to accommodate. The destination (i.e. b_tmp) however only has 6 bytes due to: (gdb) list globus_list_cmp_alias_ent ... 3045 char b_tmp[b_ent->alias_len+1]; ... (gdb) p b_ent->alias_len $1 = 5