161751 – buffer overflow in genkdmconf

Bug 161751 - buffer overflow in genkdmconf

Summary: buffer overflow in genkdmconf

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kdebase
Sub Component:
Version:	4
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Than Ngo
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	161752 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-06-26 23:54 UTC by Andrea Santilli
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-06-27 12:01:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
fix for genkdmconf.c (653 bytes, patch) 2005-06-27 11:38 UTC, Andrea Santilli	no flags	Details \| Diff
View All

Description Andrea Santilli 2005-06-26 23:54:04 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
There is a buffer overflow in genkdmconf.
I've already reported the bug to security but the rpm should be fixed.

I discovered it by simply rebuilding the kdebase srpm.
In %install stage I got this error:

./genkdmconf --in /var/tmp/kdebase-3.4.1-0.fc4.1.kwinshadows-buildroot/usr/share/config/kdm --face-src ./pics
Information: reading old kdmrc /usr/share/config/kdm/kdmrc (from kde >= 2.2.x)
Information: dropping key SessionTypes from section [X-*-Greeter]
Information: old kdmrc is from kde 3.0
*** buffer overflow detected ***: ./genkdmconf terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0x635565]
/lib/libc.so.6[0x63502f]
/lib/libc.so.6(__snprintf_chk+0x37)[0x634f23]
./genkdmconf[0x804d846]
/lib/libc.so.6(__libc_start_main+0xc6)[0x56bde6]
./genkdmconf[0x8048fd1]
======= Memory map: ========
00171000-00172000 r-xp 00171000 00:00 0
00535000-0054f000 r-xp 00000000 03:06 51868689   /lib/ld-2.3.5.so
0054f000-00550000 r-xp 00019000 03:06 51868689   /lib/ld-2.3.5.so
00550000-00551000 rwxp 0001a000 03:06 51868689   /lib/ld-2.3.5.so
00557000-0067b000 r-xp 00000000 03:06 51872972   /lib/libc-2.3.5.so
0067b000-0067d000 r-xp 00124000 03:06 51872972   /lib/libc-2.3.5.so
0067d000-0067f000 rwxp 00126000 03:06 51872972   /lib/libc-2.3.5.so
0067f000-00681000 rwxp 0067f000 00:00 0
006a9000-006ab000 r-xp 00000000 03:06 51872974   /lib/libdl-2.3.5.so
006ab000-006ac000 r-xp 00001000 03:06 51872974   /lib/libdl-2.3.5.so
006ac000-006ad000 rwxp 00002000 03:06 51872974   /lib/libdl-2.3.5.so
008e8000-008f1000 r-xp 00000000 03:06 51872976   /lib/libgcc_s-4.0.0-20050520.so.1
008f1000-008f2000 rwxp 00009000 03:06 51872976   /lib/libgcc_s-4.0.0-20050520.so.1
009c2000-00a92000 r-xp 00000000 03:06 235041898  /usr/X11R6/lib/libX11.so.6.2
00a92000-00a96000 rwxp 000cf000 03:06 235041898  /usr/X11R6/lib/libX11.so.6.2
08048000-08058000 r-xp 00000000 03:06 2915703    /usr/src/redhat/BUILD/kdebase-3.4.1/kdm/kfrontend/genkdmconf
08058000-0805a000 rw-p 0000f000 03:06 2915703    /usr/src/redhat/BUILD/kdebase-3.4.1/kdm/kfrontend/genkdmconf
09364000-09385000 rw-p 09364000 00:00 0          [heap]
b7fc8000-b7fc9000 rw-p b7fc8000 00:00 0
b7ff5000-b7ff7000 rw-p b7ff5000 00:00 0
bfce1000-bfcf7000 rw-p bfce1000 00:00 0          [stack]

The bug is in line 2804 of kdm/kfrontend/genkdmconf.c file:
sprintf( nname, "%s/README", newdir );

Regards

Version-Release number of selected component (if applicable):
3.4.1-0.fc4.1

How reproducible:
Always

Steps to Reproduce:
1. Recompile the kdebase srpm
2. or compile and install kdebase sources
3. get the buffer overflow error
  

Actual Results:  get the *** buffer overflow detected *** error and all the backtrace while the installation calls genkdmconf

Expected Results:  no buffer overflow in genkdmconf

Additional info:

Comment 1 Andrea Santilli 2005-06-27 11:34:23 UTC

*** Bug 161752 has been marked as a duplicate of this bug. ***

Comment 2 Andrea Santilli 2005-06-27 11:38:15 UTC

Created attachment 116007 [details]
fix for genkdmconf.c

Comment 3 Andrea Santilli 2005-06-27 11:41:04 UTC

As you can see by the attachment, nname shouldn't be of a fixed size cos if it
installs its README in a very long pathname there will be the buffer overflow.

This happened to me because I was rebuilding the srpm and the $DESTDIR was very long

Comment 4 Andrea Santilli 2005-06-27 11:54:40 UTC

ooops!
please correct that
+	nname=malloc(sizeof(char)*strlen(newdir)+8); //strlen doesn't count the final nul
in +	nname=malloc(sizeof(char)*(strlen(newdir)+8)); //strlen doesn't count the
final nul

Comment 5 Than Ngo 2005-06-27 12:01:54 UTC

I think, it is better to use ASPrintf. the fix is:

--- kdebase-3.4.1/kdm/kfrontend/genkdmconf.c.tn 2005-06-27 13:30:11.000000000 +0200
+++ kdebase-3.4.1/kdm/kfrontend/genkdmconf.c    2005-06-27 13:52:40.000000000 +0200
@@ -2560,7 +2560,7 @@
        int i, ap, newer, locals, foreigns;
        int no_old_xdm = 0, no_old_kde = 0;
        struct stat st;
-       char nname[80];
+       char *nname;

        for (ap = 1; ap < argc; ap++) {
                if (!strcmp( argv[ap], "--help" )) {
@@ -2801,7 +2801,7 @@
        wrconf( f );
        fclose( f );

-       sprintf( nname, "%s/README", newdir );
+       ASPrintf( &nname, "%s/README", newdir );
        f = Create( nname, 0644 );
        fprintf( f,
 "This automatically generated configuration consists of the following files:\n" );


The next kde rebuild (KDE-3.4.2) will include the fix. Many thanks for your
report and bugfix.

Note You need to log in before you can comment on or make changes to this bug.