159196 – multiple memory management issues

Bug 159196 - multiple memory management issues

Summary: multiple memory management issues

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	strace
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Roland McGrath
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-05-31 13:41 UTC by Dmitry V. Levin
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	4.5.12
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-06-11 16:44:23 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
strace-4.5.11-alt-mem-fixes.patch for cvs snapshot 20050526 (22.33 KB, patch) 2005-05-31 13:43 UTC, Dmitry V. Levin	no flags	Details \| Diff
xattr.c (124 bytes, text/plain) 2005-05-31 13:52 UTC, Dmitry V. Levin	no flags	Details
iov.c (149 bytes, text/plain) 2005-05-31 14:00 UTC, Dmitry V. Levin	no flags	Details
nodes.c (135 bytes, text/plain) 2005-05-31 14:04 UTC, Dmitry V. Levin	no flags	Details
msg.c (230 bytes, text/plain) 2005-05-31 14:08 UTC, Dmitry V. Levin	no flags	Details
msg2.c (404 bytes, text/plain) 2005-05-31 14:10 UTC, Dmitry V. Levin	no flags	Details
setgroups.c (119 bytes, text/plain) 2005-05-31 14:13 UTC, Dmitry V. Levin	no flags	Details
poll.c (164 bytes, text/plain) 2005-05-31 14:17 UTC, Dmitry V. Levin	no flags	Details
sysctl.c (289 bytes, text/plain) 2005-05-31 14:21 UTC, Dmitry V. Levin	no flags	Details
View All

Description Dmitry V. Levin 2005-05-31 13:41:44 UTC

After your recent fixes for strace crashes, I reviewed strace for other memory management issues.  I found 8 bugs which could lead to easily reproduced crash, and 4 bugs which are unlikely to be triggered.  Still unclear, whether some of these overflows could lead to privilege escalation or not, so setting "security" tag in case they are not just crash bugs.

Comment 1 Dmitry V. Levin 2005-05-31 13:43:29 UTC

Created attachment 114990 [details]
strace-4.5.11-alt-mem-fixes.patch for cvs snapshot 20050526

Proposed fix.

Comment 2 Dmitry V. Levin 2005-05-31 13:52:13 UTC

Created attachment 114992 [details]
xattr.c

This program demonstrates crash in print_xattr_val().
Test with "strace -e trace=fsetxattr ./xattr".

Comment 3 Dmitry V. Levin 2005-05-31 14:00:28 UTC

Created attachment 114993 [details]
iov.c

This program demonstrates crash in tprint_iov().
Test with "strace -e trace=writev ./iov".

Comment 4 Dmitry V. Levin 2005-05-31 14:04:20 UTC

Created attachment 114994 [details]
nodes.c

This program demonstrates crash in get_nodes().
Test with "strace -e trace=get_mempolicy ./nodes".

Comment 5 Dmitry V. Levin 2005-05-31 14:08:47 UTC

Created attachment 114996 [details]
msg.c

This program demonstrates crash in printcmsghdr().
Test with "strace -e trace=sendmsg ./msg".

Comment 6 Dmitry V. Levin 2005-05-31 14:10:21 UTC

Created attachment 114997 [details]
msg2.c

This program demonstrates another crash in printcmsghdr().
Test with "strace -e trace=sendmsg ./msg2".

Comment 7 Dmitry V. Levin 2005-05-31 14:13:43 UTC

Created attachment 114998 [details]
setgroups.c

This program demonstrates crash in sys_setgroups32().
Test with "strace -e trace=setgroups32 ./setgroups".

Comment 8 Dmitry V. Levin 2005-05-31 14:17:16 UTC

Created attachment 114999 [details]
poll.c

This program demonstrates crash in sys_poll().
Test with "strace -e trace=poll ./poll".

Comment 9 Dmitry V. Levin 2005-05-31 14:21:04 UTC

Created attachment 115000 [details]
sysctl.c

This program demonstrates crash in sys_sysctl().
Test with "strace -e trace=_sysctl ./sysctl".

Comment 10 Dmitry V. Levin 2005-06-01 19:09:25 UTC

Well, it is not easy to use these bugs to get something more than instant crash.
Let's remove "security" tag then?

Comment 11 Roland McGrath 2005-06-01 19:20:56 UTC

Thanks for all those test cases, and the fixes!  I've put the patch in upstream.

I'll check with our security folks whether they think these problems need to be
treated as security issues.

Comment 12 Josh Bressers 2005-06-01 19:25:12 UTC

If there is no potential for arbitrary code execution, then I don't see any of
these as being security issues.

Comment 13 Alexander Peslyak 2005-06-01 19:26:09 UTC

I also do not think these are security bugs.  That's because the program being
traced is already granted the ability to execute arbitrary code/syscalls. 
strace is not a policy enforcement tool, and not even an interactive debugger
where one may single-step or the like not letting the program do nasty things.

But we need to get the bugs fixed indeed.

(Should the Summary read "multiple", not "multiply"?)

Comment 14 Dmitry V. Levin 2005-06-01 22:22:47 UTC

I know that strace is oftenly used by root user to trace various applications,
including less privileged ones.  These bugs allow applications to overwrite
arbitrary address of strace memory, but I found no way (yet?) how it can be used
to gain control over strace itself.  Ok, lets hope it is not possible.

Comment 15 Alexander Peslyak 2005-06-02 01:24:44 UTC

Oh, you're referring to strace's ability to attach to already-executing
processes, which may be _known_ to be _already_ running as non-root, correct? 
This is something I've overlooked when writing my previous comment.

OK, these may be security bugs, then.

Comment 16 Josh Bressers 2005-06-07 15:48:21 UTC

These fixes are in the upstream cvs, lifting embargo.

Comment 17 Dmitry V. Levin 2005-06-11 16:44:23 UTC

Fixed in strace-4.5.12.

Note You need to log in before you can comment on or make changes to this bug.