Description of problem: Enabling _FORTIFY_SOURCE=2 discovered a negligible stack array buffer overflow. Exploitable by application being debugged by GDB after user types the `gcore' command (core file dump request). Version-Release number of selected component (if applicable): All Fedora "gdb" versions. All rawhide "gdb" versions up to and incl. gdb-6.6-8.fc7 All upstream "gdb" versions so far. How reproducible: Always. Steps to Reproduce: 1. yum install redhat-rpm-config # To enable `_FORTIFY_SOURCE=2' building. 2. rpmbuild --rebuild gdb-6.6-8.fc7.src.rpm 3. Possibly also: 3a. cd gdb-6.6/build*/gdb/testsuite 3b. make site.exp 3c. runtest gdb.base/corefile.exp Actual results: gdb.base/corefile.exp claiming you should check `ulimit -c'. Expected results: gdb.base/corefile.exp passes. Additional info: Attaching bugfix. Please provide disclosure clearance for the rawhide update commit and posting the patch upstream. -- Additional comment from jan.kratochvil on 2007-04-09 18:44 EST -- Created an attachment (id=152071) Bugfix for the review and its disclosure evaluation. -- Additional comment from jan.kratochvil on 2007-04-20 14:59 EST -- Bug has been evaluated as non-exploitable (almost). The code appends " " to an out of boundaries memory: (gdb) p (char *)psargs $10 = 0x7fffa0bf31d0 "/home/jkratoch/redhat/sources/gdb/0123456789012345678901234567890123456789012345bz235753 " the string "bz235753 " is already a part of anothat variable - `fname': (gdb) p fname $11 = "bz235753 \000\000\000\000\000\000" as it calls strncat() in with unbounded (overflown) `size_t n': strncat (s1=0x7fffa0bf31d0 "/home/jkratoch/redhat/sources/gdb/0123456789012345678901234567890123456789012345bz235753", s2=0x6b8bd7 " ", n=18446744073709551608) at strncat.c:34 it is safe as afterwards the code strncat (psargs, get_inferior_args (), sizeof (psargs) - strlen (psargs)); appends the value of get_inferior_args () which is always empty ("") for any untrusted data. get_inferior_args () may return non-empty result only for: * The commandline `--args' parameter (set_inferior_args_vector ()). * The `run' command arguments (set_inferior_args ()). * The `start' command arguments (set_inferior_args ()). * The `set args' command arguments (notice_args_set ()). (The `attach' command is safe, it does not retrieve the inferior's arguments.) All these values are trusted as they can come only from the same/superior UID source spawning the "gdb" command or feeding its interactive input. Exploit code (crash this way, it is arbitrary code execution category): echo 'int main (void) { return 0; }' >/tmp/x235753.c;gcc -o /tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 /tmp/x235753.c -ggdb3;echo -e 'start\ngcore /dev/null' >/tmp/x235753.cmd;gdb -nx --command=/tmp/x235753.cmd --args /tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 Despite `_FORTIFY_SOURCE' was disabled in all the GDB Red Hat releases so far any Red Hat build since FC6+ is protected by `-fstack-protector'. FC3: Segmentation fault (exploitable) stack order: PSARGS, (immediately) FNAME FC4: Works fine (safe) stack order: PSARGS, (immediately) THREAD_ARGS FC5: *** stack smashing detected ***: gdb terminated\nAborted (safe) FC6: *** stack smashing detected ***: gdb terminated\nAborted (safe) Still it is dangerous for untrusted control of GDB commandline/commands, still such level of control may exploit the machine directly by appropriate commands, without any special stack corrupton. -- Additional comment from lkundrak on 2007-04-24 08:23 EST -- Removing "Security" keyword, because this needs voluntary cooperation of the user in order to be exploited, and all he would get would be to execute code as himself. -- Additional comment from jan.kratochvil on 2007-04-28 14:51 EST -- Disclosed as it is already in Rawhide CVS (and sent upstream) as not exploitable.
The fix was committed to Rawhide before as: * Tue Apr 24 2007 Jan Kratochvil <jan.kratochvil> - 6.6-11 - Fix harmless GCORE stack buffer overflow, by _FORTIFY_SOURCE=2 (BZ 238285). Testcase provided in Rawhide as `gdb.base/gcore-buffer-overflow.exp': * Sat Apr 28 2007 Jan Kratochvil <jan.kratochvil> - 6.6-14 - New testcase for the GCORE buffer overflow (for BZ 238285, formerly 235753).
Posted upstream: http://sources.redhat.com/ml/gdb-patches/2007-06/msg00072.html