Bug 238285 - Stack overflow on the `gcore' command.
Stack overflow on the `gcore' command.
Product: Fedora
Classification: Fedora
Component: gdb (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Kratochvil
Depends On: 235753
  Show dependency treegraph
Reported: 2007-04-28 15:57 EDT by Jan Kratochvil
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: gdb-6.6-11.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-04-28 18:00:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Kratochvil 2007-04-28 15:57:04 EDT
Description of problem:
Enabling _FORTIFY_SOURCE=2 discovered a negligible stack array buffer overflow.
Exploitable by application being debugged by GDB after user types the `gcore'
command (core file dump request).

Version-Release number of selected component (if applicable):
All Fedora "gdb" versions.
All rawhide "gdb" versions up to and incl. gdb-6.6-8.fc7
All upstream "gdb" versions so far.

How reproducible:

Steps to Reproduce:
1. yum install redhat-rpm-config  # To enable `_FORTIFY_SOURCE=2' building.
2. rpmbuild --rebuild gdb-6.6-8.fc7.src.rpm
3. Possibly also:
   3a. cd gdb-6.6/build*/gdb/testsuite
   3b. make site.exp
   3c. runtest gdb.base/corefile.exp

Actual results:
gdb.base/corefile.exp claiming you should check `ulimit -c'.

Expected results:
gdb.base/corefile.exp passes.

Additional info:
Attaching bugfix.
Please provide disclosure clearance for the rawhide update commit and posting
the patch upstream.

-- Additional comment from jan.kratochvil@redhat.com on 2007-04-09 18:44 EST --
Created an attachment (id=152071)
Bugfix for the review and its disclosure evaluation.

-- Additional comment from jan.kratochvil@redhat.com on 2007-04-20 14:59 EST --
Bug has been evaluated as non-exploitable (almost).

The code appends " " to an out of boundaries memory:

(gdb) p (char *)psargs
$10 = 0x7fffa0bf31d0

the string "bz235753 " is already a part of anothat variable - `fname':

(gdb) p fname
$11 = "bz235753 \000\000\000\000\000\000"

as it calls strncat() in with unbounded (overflown) `size_t n':

  strncat (s1=0x7fffa0bf31d0

  s2=0x6b8bd7 " ", n=18446744073709551608) at strncat.c:34

it is safe as afterwards the code

  strncat (psargs, get_inferior_args (), sizeof (psargs) - strlen (psargs));

appends the value of get_inferior_args () which is always empty ("") for any
untrusted data.

get_inferior_args () may return non-empty result only for:
 * The commandline `--args' parameter (set_inferior_args_vector ()).
 * The `run' command arguments (set_inferior_args ()).
 * The `start' command arguments (set_inferior_args ()).
 * The `set args' command arguments (notice_args_set ()).

(The `attach' command is safe, it does not retrieve the inferior's arguments.)

All these values are trusted as they can come only from the same/superior UID
source spawning the "gdb" command or feeding its interactive input.

Exploit code (crash this way, it is arbitrary code execution category):

echo 'int main (void) { return 0; }' >/tmp/x235753.c;gcc -o
/tmp/x235753.c -ggdb3;echo -e 'start\ngcore /dev/null' >/tmp/x235753.cmd;gdb -nx
--command=/tmp/x235753.cmd --args

Despite `_FORTIFY_SOURCE' was disabled in all the GDB Red Hat releases so far
any Red Hat build since FC6+ is protected by `-fstack-protector'.

FC3: Segmentation fault (exploitable)
     stack order: PSARGS, (immediately) FNAME
FC4: Works fine (safe)
     stack order: PSARGS, (immediately) THREAD_ARGS
FC5: *** stack smashing detected ***: gdb terminated\nAborted (safe)
FC6: *** stack smashing detected ***: gdb terminated\nAborted (safe)

Still it is dangerous for untrusted control of GDB commandline/commands, still
such level of control may exploit the machine directly by appropriate commands,
without any special stack corrupton.

-- Additional comment from lkundrak@redhat.com on 2007-04-24 08:23 EST --
Removing "Security" keyword, because this needs voluntary cooperation of
the user in order to be exploited, and all he would get would be to execute
code as himself.

-- Additional comment from jan.kratochvil@redhat.com on 2007-04-28 14:51 EST --
Disclosed as it is already in Rawhide CVS (and sent upstream) as not exploitable.
Comment 1 Jan Kratochvil 2007-04-28 18:00:58 EDT
The fix was committed to Rawhide before as:
* Tue Apr 24 2007 Jan Kratochvil <jan.kratochvil@redhat.com> - 6.6-11
 - Fix harmless GCORE stack buffer overflow, by _FORTIFY_SOURCE=2 (BZ 238285).

Testcase provided in Rawhide as `gdb.base/gcore-buffer-overflow.exp':
* Sat Apr 28 2007 Jan Kratochvil <jan.kratochvil@redhat.com> - 6.6-14
- New testcase for the GCORE buffer overflow (for BZ 238285, formerly 235753).
Comment 2 Jan Kratochvil 2007-06-06 14:59:09 EDT
Posted upstream:

Note You need to log in before you can comment on or make changes to this bug.