Bug 159196 - multiple memory management issues
multiple memory management issues
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: strace (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Roland McGrath
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-31 09:41 EDT by Dmitry V. Levin
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 4.5.12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-11 12:44:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace-4.5.11-alt-mem-fixes.patch for cvs snapshot 20050526 (22.33 KB, patch)
2005-05-31 09:43 EDT, Dmitry V. Levin
no flags Details | Diff
xattr.c (124 bytes, text/plain)
2005-05-31 09:52 EDT, Dmitry V. Levin
no flags Details
iov.c (149 bytes, text/plain)
2005-05-31 10:00 EDT, Dmitry V. Levin
no flags Details
nodes.c (135 bytes, text/plain)
2005-05-31 10:04 EDT, Dmitry V. Levin
no flags Details
msg.c (230 bytes, text/plain)
2005-05-31 10:08 EDT, Dmitry V. Levin
no flags Details
msg2.c (404 bytes, text/plain)
2005-05-31 10:10 EDT, Dmitry V. Levin
no flags Details
setgroups.c (119 bytes, text/plain)
2005-05-31 10:13 EDT, Dmitry V. Levin
no flags Details
poll.c (164 bytes, text/plain)
2005-05-31 10:17 EDT, Dmitry V. Levin
no flags Details
sysctl.c (289 bytes, text/plain)
2005-05-31 10:21 EDT, Dmitry V. Levin
no flags Details

  None (edit)
Description Dmitry V. Levin 2005-05-31 09:41:44 EDT
After your recent fixes for strace crashes, I reviewed strace for other memory management issues.  I found 8 bugs which could lead to easily reproduced crash, and 4 bugs which are unlikely to be triggered.  Still unclear, whether some of these overflows could lead to privilege escalation or not, so setting "security" tag in case they are not just crash bugs.
Comment 1 Dmitry V. Levin 2005-05-31 09:43:29 EDT
Created attachment 114990 [details]
strace-4.5.11-alt-mem-fixes.patch for cvs snapshot 20050526

Proposed fix.
Comment 2 Dmitry V. Levin 2005-05-31 09:52:13 EDT
Created attachment 114992 [details]
xattr.c

This program demonstrates crash in print_xattr_val().
Test with "strace -e trace=fsetxattr ./xattr".
Comment 3 Dmitry V. Levin 2005-05-31 10:00:28 EDT
Created attachment 114993 [details]
iov.c

This program demonstrates crash in tprint_iov().
Test with "strace -e trace=writev ./iov".
Comment 4 Dmitry V. Levin 2005-05-31 10:04:20 EDT
Created attachment 114994 [details]
nodes.c

This program demonstrates crash in get_nodes().
Test with "strace -e trace=get_mempolicy ./nodes".
Comment 5 Dmitry V. Levin 2005-05-31 10:08:47 EDT
Created attachment 114996 [details]
msg.c

This program demonstrates crash in printcmsghdr().
Test with "strace -e trace=sendmsg ./msg".
Comment 6 Dmitry V. Levin 2005-05-31 10:10:21 EDT
Created attachment 114997 [details]
msg2.c

This program demonstrates another crash in printcmsghdr().
Test with "strace -e trace=sendmsg ./msg2".
Comment 7 Dmitry V. Levin 2005-05-31 10:13:43 EDT
Created attachment 114998 [details]
setgroups.c

This program demonstrates crash in sys_setgroups32().
Test with "strace -e trace=setgroups32 ./setgroups".
Comment 8 Dmitry V. Levin 2005-05-31 10:17:16 EDT
Created attachment 114999 [details]
poll.c

This program demonstrates crash in sys_poll().
Test with "strace -e trace=poll ./poll".
Comment 9 Dmitry V. Levin 2005-05-31 10:21:04 EDT
Created attachment 115000 [details]
sysctl.c

This program demonstrates crash in sys_sysctl().
Test with "strace -e trace=_sysctl ./sysctl".
Comment 10 Dmitry V. Levin 2005-06-01 15:09:25 EDT
Well, it is not easy to use these bugs to get something more than instant crash.
Let's remove "security" tag then?
Comment 11 Roland McGrath 2005-06-01 15:20:56 EDT
Thanks for all those test cases, and the fixes!  I've put the patch in upstream.

I'll check with our security folks whether they think these problems need to be
treated as security issues.
Comment 12 Josh Bressers 2005-06-01 15:25:12 EDT
If there is no potential for arbitrary code execution, then I don't see any of
these as being security issues.
Comment 13 Alexander Peslyak 2005-06-01 15:26:09 EDT
I also do not think these are security bugs.  That's because the program being
traced is already granted the ability to execute arbitrary code/syscalls. 
strace is not a policy enforcement tool, and not even an interactive debugger
where one may single-step or the like not letting the program do nasty things.

But we need to get the bugs fixed indeed.

(Should the Summary read "multiple", not "multiply"?)
Comment 14 Dmitry V. Levin 2005-06-01 18:22:47 EDT
I know that strace is oftenly used by root user to trace various applications,
including less privileged ones.  These bugs allow applications to overwrite
arbitrary address of strace memory, but I found no way (yet?) how it can be used
to gain control over strace itself.  Ok, lets hope it is not possible.
Comment 15 Alexander Peslyak 2005-06-01 21:24:44 EDT
Oh, you're referring to strace's ability to attach to already-executing
processes, which may be _known_ to be _already_ running as non-root, correct? 
This is something I've overlooked when writing my previous comment.

OK, these may be security bugs, then.
Comment 16 Josh Bressers 2005-06-07 11:48:21 EDT
These fixes are in the upstream cvs, lifting embargo.
Comment 17 Dmitry V. Levin 2005-06-11 12:44:23 EDT
Fixed in strace-4.5.12.

Note You need to log in before you can comment on or make changes to this bug.