238285 – Stack overflow on the `gcore' command.

Bug 238285 - Stack overflow on the `gcore' command.

Summary: Stack overflow on the `gcore' command.

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gdb
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jan Kratochvil
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	235753
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-28 19:57 UTC by Jan Kratochvil
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:	gdb-6.6-11.fc7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-04-28 22:00:58 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan Kratochvil 2007-04-28 19:57:04 UTC

Description of problem:
Enabling _FORTIFY_SOURCE=2 discovered a negligible stack array buffer overflow.
Exploitable by application being debugged by GDB after user types the `gcore'
command (core file dump request).

Version-Release number of selected component (if applicable):
All Fedora "gdb" versions.
All rawhide "gdb" versions up to and incl. gdb-6.6-8.fc7
All upstream "gdb" versions so far.

How reproducible:
Always.

Steps to Reproduce:
1. yum install redhat-rpm-config  # To enable `_FORTIFY_SOURCE=2' building.
2. rpmbuild --rebuild gdb-6.6-8.fc7.src.rpm
3. Possibly also:
   3a. cd gdb-6.6/build*/gdb/testsuite
   3b. make site.exp
   3c. runtest gdb.base/corefile.exp

Actual results:
gdb.base/corefile.exp claiming you should check `ulimit -c'.

Expected results:
gdb.base/corefile.exp passes.

Additional info:
Attaching bugfix.
Please provide disclosure clearance for the rawhide update commit and posting
the patch upstream.

-- Additional comment from jan.kratochvil on 2007-04-09 18:44 EST --
Created an attachment (id=152071)
Bugfix for the review and its disclosure evaluation.


-- Additional comment from jan.kratochvil on 2007-04-20 14:59 EST --
Bug has been evaluated as non-exploitable (almost).

The code appends " " to an out of boundaries memory:

(gdb) p (char *)psargs
$10 = 0x7fffa0bf31d0
"/home/jkratoch/redhat/sources/gdb/0123456789012345678901234567890123456789012345bz235753
"

the string "bz235753 " is already a part of anothat variable - `fname':

(gdb) p fname
$11 = "bz235753 \000\000\000\000\000\000"

as it calls strncat() in with unbounded (overflown) `size_t n':

  strncat (s1=0x7fffa0bf31d0
"/home/jkratoch/redhat/sources/gdb/0123456789012345678901234567890123456789012345bz235753",

  s2=0x6b8bd7 " ", n=18446744073709551608) at strncat.c:34

it is safe as afterwards the code

  strncat (psargs, get_inferior_args (), sizeof (psargs) - strlen (psargs));

appends the value of get_inferior_args () which is always empty ("") for any
untrusted data.

get_inferior_args () may return non-empty result only for:
 * The commandline `--args' parameter (set_inferior_args_vector ()).
 * The `run' command arguments (set_inferior_args ()).
 * The `start' command arguments (set_inferior_args ()).
 * The `set args' command arguments (notice_args_set ()).

(The `attach' command is safe, it does not retrieve the inferior's arguments.)

All these values are trusted as they can come only from the same/superior UID
source spawning the "gdb" command or feeding its interactive input.

Exploit code (crash this way, it is arbitrary code execution category):

echo 'int main (void) { return 0; }' >/tmp/x235753.c;gcc -o
/tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
/tmp/x235753.c -ggdb3;echo -e 'start\ngcore /dev/null' >/tmp/x235753.cmd;gdb -nx
--command=/tmp/x235753.cmd --args
/tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789

Despite `_FORTIFY_SOURCE' was disabled in all the GDB Red Hat releases so far
any Red Hat build since FC6+ is protected by `-fstack-protector'.

FC3: Segmentation fault (exploitable)
     stack order: PSARGS, (immediately) FNAME
FC4: Works fine (safe)
     stack order: PSARGS, (immediately) THREAD_ARGS
FC5: *** stack smashing detected ***: gdb terminated\nAborted (safe)
FC6: *** stack smashing detected ***: gdb terminated\nAborted (safe)

Still it is dangerous for untrusted control of GDB commandline/commands, still
such level of control may exploit the machine directly by appropriate commands,
without any special stack corrupton.


-- Additional comment from lkundrak on 2007-04-24 08:23 EST --
Removing "Security" keyword, because this needs voluntary cooperation of
the user in order to be exploited, and all he would get would be to execute
code as himself.

-- Additional comment from jan.kratochvil on 2007-04-28 14:51 EST --
Disclosed as it is already in Rawhide CVS (and sent upstream) as not exploitable.

Comment 1 Jan Kratochvil 2007-04-28 22:00:58 UTC

The fix was committed to Rawhide before as:
* Tue Apr 24 2007 Jan Kratochvil <jan.kratochvil> - 6.6-11
 - Fix harmless GCORE stack buffer overflow, by _FORTIFY_SOURCE=2 (BZ 238285).

Testcase provided in Rawhide as `gdb.base/gcore-buffer-overflow.exp':
* Sat Apr 28 2007 Jan Kratochvil <jan.kratochvil> - 6.6-14
- New testcase for the GCORE buffer overflow (for BZ 238285, formerly 235753).

Comment 2 Jan Kratochvil 2007-06-06 18:59:09 UTC

Posted upstream:
  http://sources.redhat.com/ml/gdb-patches/2007-06/msg00072.html

Note You need to log in before you can comment on or make changes to this bug.