Bug 167467 - xsupplicant crashes with a buffer overflow error
xsupplicant crashes with a buffer overflow error
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: xsupplicant (Show other bugs)
4
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tom "spot" Callaway
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-02 17:31 EDT by Josh Boyer
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-11-29 15:57:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
back trace from gdb run with debuginfo package installed (5.57 KB, text/plain)
2005-09-12 09:07 EDT, Josh Boyer
no flags Details
latest backtrace (5.50 KB, text/plain)
2005-09-20 09:12 EDT, Josh Boyer
no flags Details

  None (edit)
Description Josh Boyer 2005-09-02 17:31:40 EDT
Description of problem:

When I start xsupplicant on my Thinkpad, I get the following error output:

root@windu ~]# *** buffer overflow detected ***: xsupplicant terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xb00c45]
xsupplicant[0x80691f7]
xsupplicant[0x80698ef]
xsupplicant[0x8069f48]
xsupplicant[0x806b55a]
xsupplicant[0x804b03c]
xsupplicant[0x804b1c3]
/lib/libc.so.6(__libc_start_main+0xdf)[0xa37d5f]
xsupplicant[0x804a7d1]
======= Memory map: ========
001b8000-001ba000 r-xp 00000000 03:03 1219863    /lib/libcom_err.so.2.1
001ba000-001bb000 rwxp 00001000 03:03 1219863    /lib/libcom_err.so.2.1
001de000-001e0000 r-xp 00000000 03:03 907641     /usr/lib/libkrb5support.so.0.0
001e0000-001e1000 rwxp 00001000 03:03 907641     /usr/lib/libkrb5support.so.0.0
001e3000-00206000 r-xp 00000000 03:03 907642     /usr/lib/libk5crypto.so.3.0
00206000-00207000 rwxp 00023000 03:03 907642     /usr/lib/libk5crypto.so.3.0
00209000-00278000 r-xp 00000000 03:03 907643     /usr/lib/libkrb5.so.3.2
00278000-0027b000 rwxp 0006e000 03:03 907643     /usr/lib/libkrb5.so.3.2
00308000-0031f000 r-xp 00000000 03:03 907644     /usr/lib/libgssapi_krb5.so.2.2
0031f000-00320000 rwxp 00017000 03:03 907644     /usr/lib/libgssapi_krb5.so.2.2
0037e000-00476000 r-xp 00000000 03:03 1219864    /lib/libcrypto.so.0.9.7f
00476000-00488000 rwxp 000f8000 03:03 1219864    /lib/libcrypto.so.0.9.7f
00488000-0048b000 rwxp 00488000 00:00 0
0048d000-004c2000 r-xp 00000000 03:03 1219865    /lib/libssl.so.0.9.7f
004c2000-004c5000 rwxp 00035000 03:03 1219865    /lib/libssl.so.0.9.7f
00a05000-00a1f000 r-xp 00000000 03:03 1216050    /lib/ld-2.3.5.so
00a1f000-00a20000 r-xp 00019000 03:03 1216050    /lib/ld-2.3.5.so
00a20000-00a21000 rwxp 0001a000 03:03 1216050    /lib/ld-2.3.5.so
00a23000-00b46000 r-xp 00000000 03:03 1218183    /lib/libc-2.3.5.so
00b46000-00b48000 r-xp 00123000 03:03 1218183    /lib/libc-2.3.5.so
00b48000-00b4a000 rwxp 00125000 03:03 1218183    /lib/libc-2.3.5.so
00b4a000-00b4c000 rwxp 00b4a000 00:00 0
00b4e000-00b50000 r-xp 00000000 03:03 1218405    /lib/libdl-2.3.5.so
00b50000-00b51000 r-xp 00001000 03:03 1218405    /lib/libdl-2.3.5.so
00b51000-00b52000 rwxp 00002000 03:03 1218405    /lib/libdl-2.3.5.so
00b7b000-00b8d000 r-xp 00000000 03:03 905880     /usr/lib/libz.so.1.2.2.2
00b8d000-00b8e000 rwxp 00011000 03:03 905880     /usr/lib/libz.so.1.2.2.2
00ba4000-00bb3000 r-xp 00000000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb3000-00bb4000 r-xp 0000e000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb4000-00bb5000 rwxp 0000f000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb5000-00bb7000 rwxp 00bb5000 00:00 0
00ca0000-00ca9000 r-xp 00000000 03:03 1219855    /lib/libgcc_s-4.0.1-20050727.so.1
00ca9000-00caa000 rwxp 00009000 03:03 1219855    /lib/libgcc_s-4.0.1-20050727.so.1
00da2000-00da3000 r-xp 00da2000 00:00 0
08047000-08082000 r-xp 00000000 03:03 899040     /usr/sbin/xsupplicant
08082000-08083000 rw-p 0003b000 03:03 899040     /usr/sbin/xsupplicant
08083000-08084000 rw-p 08083000 00:00 0
0955f000-09580000 rw-p 0955f000 00:00 0          [heap]
b7f13000-b7f16000 rw-p b7f13000 00:00 0
b7f22000-b7f26000 rw-p b7f22000 00:00 0
bfb11000-bfb26000 rw-p bfb11000 00:00 0          [stack]



Version-Release number of selected component (if applicable):

root@windu ~]# rpm -q xsupplicant
xsupplicant-1.2-1.fc4

How reproducible:

Always

Steps to Reproduce:
1. Config wireless card to network
2. Start xsupplicant
3.
  
Actual results:

Above error is reported

Expected results:

It doesn't crash at least ;)

Additional info:
Comment 1 Tom "spot" Callaway 2005-09-04 09:31:52 EDT
Hrm, that's never good. Well, short of actually having your xsupplicant config
(when I run xsupplicant, it just presents me with usage messages...), there are
a few things I can do to see if it alleviates the issue.

1. Update to xsupplicant-1.2.1
2. Patch-fix all the warnings that gcc4 throws (a lot of signed/unsigned errors)

So... in xsupplicant-1.2.1-1 (which should now be built in the buildsystem),
both of those items are done. Please test it and see if it does the same thing.

If it doesn't, please close this bug, but if it does, please attach your configs.
Comment 2 Josh Boyer 2005-09-04 12:59:41 EDT
Ok, I'll update and try again Tuesday morning when I have access to the network
I need xsupplicant for.  I'll be sure to let you know how it works out.
Comment 3 Tom "spot" Callaway 2005-09-04 18:20:16 EDT
This turned out to be 1.2.1-4. Stupid docbook. :)
Comment 4 Josh Boyer 2005-09-06 21:23:00 EDT
I updated but the network was down.  Will try again tomorrow.
Comment 5 Josh Boyer 2005-09-09 08:19:48 EDT
Still get a buffer overflow error:

[root@windu ~]# xsupplicant -f -c /home/jwboyer/xsupplicant.conf -i eth0
Your card is currently set for wireless network "XXX".  Looking for a config.
*** buffer overflow detected ***: xsupplicant terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xb00c45]
xsupplicant[0x8069a77]
xsupplicant[0x806a16f]
xsupplicant[0x806a621]
xsupplicant[0x806a6c6]
xsupplicant[0x806a82e]
xsupplicant[0x806bdda]
xsupplicant[0x804b0bd]
xsupplicant[0x804b243]
/lib/libc.so.6(__libc_start_main+0xdf)[0xa37d5f]
xsupplicant[0x804a7d1]
======= Memory map: ========
001b8000-001ba000 r-xp 00000000 03:03 1219863    /lib/libcom_err.so.2.1
001ba000-001bb000 rwxp 00001000 03:03 1219863    /lib/libcom_err.so.2.1
001de000-001e0000 r-xp 00000000 03:03 907641     /usr/lib/libkrb5support.so.0.0
001e0000-001e1000 rwxp 00001000 03:03 907641     /usr/lib/libkrb5support.so.0.0
001e3000-00206000 r-xp 00000000 03:03 907642     /usr/lib/libk5crypto.so.3.0
00206000-00207000 rwxp 00023000 03:03 907642     /usr/lib/libk5crypto.so.3.0
00209000-00278000 r-xp 00000000 03:03 907643     /usr/lib/libkrb5.so.3.2
00278000-0027b000 rwxp 0006e000 03:03 907643     /usr/lib/libkrb5.so.3.2
00308000-0031f000 r-xp 00000000 03:03 907644     /usr/lib/libgssapi_krb5.so.2.2
0031f000-00320000 rwxp 00017000 03:03 907644     /usr/lib/libgssapi_krb5.so.2.2
0037e000-00476000 r-xp 00000000 03:03 1219864    /lib/libcrypto.so.0.9.7f
00476000-00488000 rwxp 000f8000 03:03 1219864    /lib/libcrypto.so.0.9.7f
00488000-0048b000 rwxp 00488000 00:00 0
0048d000-004c2000 r-xp 00000000 03:03 1219865    /lib/libssl.so.0.9.7f
004c2000-004c5000 rwxp 00035000 03:03 1219865    /lib/libssl.so.0.9.7f
004cd000-004ce000 r-xp 004cd000 00:00 0
00a05000-00a1f000 r-xp 00000000 03:03 1216050    /lib/ld-2.3.5.so
00a1f000-00a20000 r-xp 00019000 03:03 1216050    /lib/ld-2.3.5.so
00a20000-00a21000 rwxp 0001a000 03:03 1216050    /lib/ld-2.3.5.so
00a23000-00b46000 r-xp 00000000 03:03 1218183    /lib/libc-2.3.5.so
00b46000-00b48000 r-xp 00123000 03:03 1218183    /lib/libc-2.3.5.so
00b48000-00b4a000 rwxp 00125000 03:03 1218183    /lib/libc-2.3.5.so
00b4a000-00b4c000 rwxp 00b4a000 00:00 0
00b4e000-00b50000 r-xp 00000000 03:03 1218405    /lib/libdl-2.3.5.so
00b50000-00b51000 r-xp 00001000 03:03 1218405    /lib/libdl-2.3.5.so
00b51000-00b52000 rwxp 00002000 03:03 1218405    /lib/libdl-2.3.5.so
00b7b000-00b8d000 r-xp 00000000 03:03 905880     /usr/lib/libz.so.1.2.2.2
00b8d000-00b8e000 rwxp 00011000 03:03 905880     /usr/lib/libz.so.1.2.2.2
00ba4000-00bb3000 r-xp 00000000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb3000-00bb4000 r-xp 0000e000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb4000-00bb5000 rwxp 0000f000 03:03 1219856    /lib/libresolv-2.3.5.so
00bb5000-00bb7000 rwxp 00bb5000 00:00 0
00ca0000-00ca9000 r-xp 00000000 03:03 1219855    /lib/libgcc_s-4.0.1-20050727.so.1
00ca9000-00caa000 rwxp 00009000 03:03 1219855    /lib/libgcc_s-4.0.1-20050727.so.1
08047000-08083000 r-xp 00000000 03:03 900850     /usr/sbin/xsupplicant
08083000-08084000 rw-p 0003c000 03:03 900850     /usr/sbin/xsupplicant
08084000-08085000 rw-p 08084000 00:00 0
08c8b000-08cac000 rw-p 08c8b000 00:00 0          [heap]
b7fe8000-b7feb000 rw-p b7fe8000 00:00 0
b7ff8000-b7ffb000 rw-p b7ff8000 00:00 0
bfbe5000-bfbfb000 rw-p bfbe5000 00:00 0          [stack]
Aborted
[root@windu ~]# rpm -q xsupplicant
xsupplicant-1.2.1-4.fc4

Comment 6 Josh Boyer 2005-09-09 08:21:58 EDT
Here's my config file.  NOTE: the network name has been changed

# This is an example configuration file for xsupplicant versions after 0.8b.

### GLOBAL SECTION

# network_list: defines all of the networks in this file which 
#      should be kept in memory and used.Comma delimited list or "all"
#      for keeping all defined configurations in memory. For efficiency,
#      keep only the networks you might roam to in memory.
#      To avoid errors, make sure your default network is always
#      in the network_list.  In general, you will want to leave this set to 
#      "all".

network_list = FOO
#network_list = default, test1, test2

# default_netname: some users may actually have a network named "default".
#      since "default" is a keyword in the network section below, you can
#      change which is to be used as the replacement for this keyword

default_netname = FOO
#default_netname = my_defaults

# destination: defines how Xsupplicant should determine the destination address
# that should be used for the 802.1X conversation.
#
# Valid Options are :
#    Auto - respond to source address from the last packet we saw.
#    Source - same as Auto
#    BSSID - Always answer to the BSSID of the AP we are associated to.
#    Multicast - always use the multicast address defined in 802.1X-2001.
#
#destination = auto

# When running in daemon, or non-foreground mode, you may want to have the
# output of the program.  So, define a log file here.  Each time XSupplicant
# is started, this file will be replaced.  So, there is no need to roll the
# log file.
logfile = /var/log/xsupplicant.log

# The auth_period, held_period, and max_starts modify the timers in the state
# machine.  (Please reference the 802.1x spec for info on how they are used.)
# For most people, there is no reason to define these values, as the defaults
# should work.

#auth_period = 30

#held_period = 30

#max_starts = 3

# The "default_interface" is the interface that will be used if one is not
# specified on the command line.  

#default_interface = eth1

# For most people, the default setting for "allmulti" will work just fine.  In
# some cases, wireless cards have been known to not work when ALLMULTI is 
# enabled.  (Such as certain Orinoco cards, with older drivers.)  If "allmulti"
# is set to "no", XSupplicant will not attempt to change the state of the 
# setting in the driver.  So, you should make sure to do an "ifconfig ethX
# -allmulti".

#allmulti = no

###  NETWORK SECTION
# The general format of the network section is a network name followed
# by a group of variables.

# Network names may contain the following characters: a-z, A-Z, 0-9, '-', 
# '_', '\', '/'
# Those interested in having an SSID with ANY character in it can use
# the ssid tag within the network clause. Otherwise, your ssid will
# be the name of the network.

## The default network is not a network itself. These values are 
## the default used for any network parameters not overridden 
## in another section. If it's not in your network configuration
## and not in your default, it won't work!!

FOO {
	type = wireless
	wireless_control = no
	allow_types = eap-leap

	identity = "jwboyer@xx.xxx.xxx"

	eap-leap {
		username = "jwboyer@xx.xxx.xx"
		password = "<removed>"
	}
}
Comment 7 Arjan van de Ven 2005-09-11 05:56:46 EDT
can you install the matching debuginfo package? that will result in a much
better backtrace
Comment 8 Josh Boyer 2005-09-12 09:07:54 EDT
Created attachment 118708 [details]
back trace from gdb run with debuginfo package installed

Here is a back trace from a gdb session with the debuginfo package installed
Comment 9 Arjan van de Ven 2005-09-14 07:59:15 EDT
line 165-167 of cardif_linux_rtnetlink.c are:
            case SIOCGIWFREQ:
              memcpy(&freq, &iwe->u.freq, iwe->len);
              freq = freq/100;



that memcpy line is at fault here. "freq" is an unsigned int variable, and thus
4 bytes in size. It seems for some reason that iwe->len is bigger than 4.. which
then would overflow the "freq" variable.

Looks like really nasty code; why use memcpy to assign an "int" in the first place??
Comment 10 Josh Boyer 2005-09-20 09:12:33 EDT
Created attachment 119025 [details]
latest backtrace

I updated to the latest xsupplicant.  No dice.	I still get the same backtrace.


[jwboyer@windu ~]$ rpm -qa | grep xsupplicant
xsupplicant-1.2.1-5.fc4
xsupplicant-debuginfo-1.2.1-5.fc4
[jwboyer@windu ~]$
Comment 11 Josh Boyer 2005-09-20 09:15:09 EDT
This is the kernel I'm using, if that makes any difference:

[jwboyer@windu ~]$ uname -r
2.6.12-1.1447_FC4

I'm also using the airo wireless module.

Comment 12 G. de Vries 2005-10-02 11:52:27 EDT
In my setup (FC4 with madwifi drivers), xsupplicant is generating exactly the
same error. Now I'm not an expert in this field, but is it an idea to report
this bug upstream at the open1x-xsupplicant project? As far as I can see (and
again, I'm not an expert) this buffer overflow is just a general programming
error and will affect non-fedora users as well.
Comment 13 Tom "spot" Callaway 2005-10-05 15:26:56 EDT
This is the case. I just hate to hand off bugs to upstream without at least
attempting to fix them. This bug is really a potential security vulnerability.
Fedora Core 4 (and rawhide) are using compiler flags to stop programs with
overflows from executing, so other users not using those compiler flags are
likely unaware of this bug.

Arjan, I tried to fix this myself, but it didn't work. Can you help me out?
Comment 14 Arjan van de Ven 2005-10-05 15:29:39 EDT
I think this is a case of finding whoever wrote that code and finding out what
he really meant to write. That's a lot harder to reverse engineer from this...

(and I don't run crappy binary junk linked into my kernel so I can't reproduce
anyway)
Comment 15 Josh Boyer 2005-10-05 17:14:24 EDT
(In reply to comment #14)
> 
> (and I don't run crappy binary junk linked into my kernel so I can't reproduce
> anyway)

Crappy binary junk?  I don't think I'm running crappy binary junk in my kernel
either...  Care to expand on that a bit?
Comment 16 Tom "spot" Callaway 2005-10-05 18:11:46 EDT
I think he's referring to madwifi.
Comment 17 Tom "spot" Callaway 2005-10-05 18:58:25 EDT
I contacted upstream about this issue today.
Comment 18 Arjan van de Ven 2005-10-06 01:58:33 EDT
yeah I meant the binary only madwifi driver
Comment 19 Josh Boyer 2005-11-29 15:56:36 EST
The latest xsupplicant package seems to have fixed this.  I no longer get buffer
overflows.

Thanks!

Note You need to log in before you can comment on or make changes to this bug.