Bug 438840 - buffer overflow in audit_log_user_command
buffer overflow in audit_log_user_command
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
rawhide
i386 Linux
low Severity high
: ---
: ---
Assigned To: Steve Grubb
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: CVE-2008-1628
  Show dependency treegraph
 
Reported: 2008-03-25 11:28 EDT by Joe Nall
Modified: 2008-04-09 01:20 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.6.8-4.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-04-09 01:20:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Joe Nall 2008-03-25 11:28:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us) AppleWebKit/525.13 (KHTML, like Gecko) Version/3.1 Safari/525.13

Description of problem:
[joe@rawhide src2]$ sudo yum -c repos/build-yum.conf localinstall Linux_i386/BUILD/repo/*rpm

*** buffer overflow detected ***: sudo terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x29e768]
/lib/libc.so.6[0x29c880]
/lib/libc.so.6(__strcpy_chk+0x44)[0x29bb54]
/lib/libaudit.so.0(audit_log_user_command+0x1f8)[0x319f68]
sudo[0xb7f2da4d]
sudo(main+0x882)[0xb7f20fa2]
/lib/libc.so.6(__libc_start_main+0xe6)[0x1bb606]
sudo[0xb7f19d31]
======= Memory map: ========
00110000-0012f000 r-xp 00000000 08:02 6128329    /lib/ld-2.7.90.so
0012f000-00130000 r--p 0001e000 08:02 6128329    /lib/ld-2.7.90.so
00130000-00131000 rw-p 0001f000 08:02 6128329    /lib/ld-2.7.90.so
00131000-00132000 r-xp 00131000 00:00 0          [vdso]
00132000-0014c000 r-xp 00000000 08:02 6128112    /lib/libselinux.so.1
0014c000-0014d000 r--p 00019000 08:02 6128112    /lib/libselinux.so.1
0014d000-0014e000 rw-p 0001a000 08:02 6128112    /lib/libselinux.so.1
0014e000-00151000 r-xp 00000000 08:02 6128347    /lib/libcap.so.2.06
00151000-00152000 rw-p 00003000 08:02 6128347    /lib/libcap.so.2.06
00152000-0015d000 r-xp 00000000 08:02 6127799    /lib/libpam.so.0.81.10
0015d000-0015e000 rw-p 0000a000 08:02 6127799    /lib/libpam.so.0.81.10
0015e000-00161000 r-xp 00000000 08:02 6128333    /lib/libdl-2.7.90.so
00161000-00162000 r--p 00002000 08:02 6128333    /lib/libdl-2.7.90.so
00162000-00163000 rw-p 00003000 08:02 6128333    /lib/libdl-2.7.90.so
00163000-001a3000 r-xp 00000000 08:02 23068816   /usr/lib/libldap-2.4.so.2.0.4
001a3000-001a5000 rw-p 0003f000 08:02 23068816   /usr/lib/libldap-2.4.so.2.0.4
001a5000-0030f000 r-xp 00000000 08:02 6128330    /lib/libc-2.7.90.so
0030f000-00311000 r--p 0016a000 08:02 6128330    /lib/libc-2.7.90.so
00311000-00312000 rw-p 0016c000 08:02 6128330    /lib/libc-2.7.90.so
00312000-00315000 rw-p 00312000 00:00 0 
00315000-00329000 r-xp 00000000 08:02 6127769    /lib/libaudit.so.0.0.0
00329000-0032a000 r--p 00013000 08:02 6127769    /lib/libaudit.so.0.0.0
0032a000-0032b000 rw-p 00014000 08:02 6127769    /lib/libaudit.so.0.0.0
0032b000-00339000 r-xp 00000000 08:02 20717071   /usr/lib/liblber-2.4.so.2.0.4
00339000-0033a000 rw-p 0000d000 08:02 20717071   /usr/lib/liblber-2.4.so.2.0.4
0033a000-0034b000 r-xp 00000000 08:02 6128331    /lib/libresolv-2.7.90.so
0034b000-0034c000 r--p 00010000 08:02 6128331    /lib/libresolv-2.7.90.so
0034c000-0034d000 rw-p 00011000 08:02 6128331    /lib/libresolv-2.7.90.so
0034d000-0034f000 rw-p 0034d000 00:00 0 
0034f000-00367000 r-xp 00000000 08:02 20717024   /usr/lib/libsasl2.so.2.0.22
00367000-00368000 rw-p 00017000 08:02 20717024   /usr/lib/libsasl2.so.2.0.22
00368000-003af000 r-xp 00000000 08:02 6128205    /lib/libssl.so.0.9.8g
003af000-003b3000 rw-p 00046000 08:02 6128205    /lib/libssl.so.0.9.8g
003b3000-004ea000 r-xp 00000000 08:02 6127727    /lib/libcrypto.so.0.9.8g
004ea000-004fe000 rw-p 00136000 08:02 6127727    /lib/libcrypto.so.0.9.8g
004fe000-00501000 rw-p 004fe000 00:00 0 
00501000-0050b000 r-xp 00000000 08:02 6128335    /lib/libcrypt-2.7.90.so
0050b000-0050c000 r--p 00009000 08:02 6128335    /lib/libcrypt-2.7.90.so
0050c000-0050d000 rw-p 0000a000 08:02 6128335    /lib/libcrypt-2.7.90.so
0050d000-00534000 rw-p 0050d000 00:00 0 
00534000-00561000 r-xp 00000000 08:02 23068795   /usr/lib/libgssapi_krb5.so.2.2
00561000-00563000 rw-p 0002d000 08:02 23068795   /usr/lib/libgssapi_krb5.so.2.2
00563000-00600000 r-xp 00000000 08:02 23068794   /usr/lib/libkrb5.so.3.3
00600000-00603000 rw-p 0009c000 08:02 23068794   /usr/lib/libkrb5.so.3.3
00603000-00605000 r-xp 00000000 08:02 6128204    /lib/libcom_err.so.2.1
00605000-00606000 rw-p 00001000 08:02 6128204    /lib/libcom_err.so.2.1
00606000-0062a000 r-xp 00000000 08:02 23068793   /usr/lib/libk5crypto.so.3.1
0062a000-0062b000 rw-p 00024000 08:02 23068793   /usr/lib/libk5crypto.so.3.1
0062b000-0063e000 r-xp 00000000 08:02 6127832    /lib/libz.so.1.2.3
0063e000-0063f000 rw-p 00012000 08:02 6127832    /lib/libz.so.1.2.3
0063f000-00647000 r-xp 00000000 08:02 23068792   /usr/lib/libkrb5support.so.0.1
00647000-00648000 rw-p 00007000 08:02 23068792   /usr/lib/libkrb5support.so.0.1
00648000-0064a000 r-xp 00000000 08:02 6128349    /lib/libkeyutils-1.2.so
0064a000-0064b000 rw-p 00001000 08:02 6128349    /lib/libkeyutils-1.2.so
0064b000-00656000 r-xp 00000000 08:02 6127737    /lib/libnss_files-2.7.90.so
00656000-00657000 r--p 0000a000 08:02 6127737    /lib/libnss_files-2.7.90.so
00657000-00658000 rw-p 0000b000 08:02 6127737    /lib/libnss_files-2.7.90.so
00658000-00665000 r-xp 00000000 08:02 6128116    /lib/libgcc_s-4.3.0-20080314.so.1
00665000-00666000 rw-p 0000c000 08:02 6128116    /lib/libgcc_s-4.3.0-20080314.so.1
b7cff000-b7eff000 r--p 00000000 08:02 20715806   /usr/lib/locale/locale-archive
b7eff000-b7f05000 rw-p b7eff000 00:00 0 
b7f0f000-b7f16000 r--s 00000000 08:02 20744117   /usr/lib/gconv/gconv-modules.cache
b7f16000-b7f39000 r-xp 00000000 08:02 20720623   /usr/bin/sudo
b7f39000-b7f3a000 rw-p 00023000 08:02 20720623   /usr/bin/sudo
b7f3a000-b7f3d000 rw-p b7f3a000 00:00 0 
b9949000-b996a000 rw-p b9949000 00:00 0          [heap]
bfd20000-bfd38000 rw-p bffe8000 00:00 0          [stack]
Aborted
[joe@rawhide src2]$ 



Version-Release number of selected component (if applicable):
audit-libs-devel-1.6.9-1.fc9.i386

How reproducible:
Always


Steps to Reproduce:
sudo yum -c repos/build-yum.conf localinstall Linux_i386/BUILD/repo/*rpm

with a few hundred rpms

Actual Results:
Backtrace

Expected Results:
rpm install

Additional info:
New behavior. Big update last night that did not include any audit components. Prior to the update, this was not happening. Prior rawhide sync was on the 20th, after which this problem did not occur.

sudo-1.6.9p13-3.fc9.i386 was installed last night. Perhaps the change was there.
Comment 1 Steve Grubb 2008-03-25 11:37:28 EDT
Sudo was recently updated to log actions run. It looks like the number of args
exceeded what was expected. I'll add the fix in a new version of audit that I'm
working on right now.
Comment 2 Steve Grubb 2008-03-30 22:10:57 EDT
audit-1.7 was built into rawhide today with a fix for the above problem. This
should take care of it. Thanks for reporting the bug.
Comment 3 Joe Nall 2008-03-31 11:40:01 EDT
Reopening. No traceback this time, but same result with audit 1.7

[joe@rawhide src2]$ rpm -q audit
audit-1.7-1.fc9.i386

[joe@rawhide src2]$ rpm -q audit-libs
audit-libs-1.7-1.fc9.i386

Segmentation fault      sudo yum -c repos/build-yum.conf $NETOPTS localinstall
${sysdir}/BUILD/repo/*rpm

[joe@rawhide src2]$ ls Linux_i386/BUILD/repo/*rpm | wc -l
206
Comment 4 Steve Grubb 2008-03-31 13:28:34 EDT
Peter,

Would you mind trying to reproduce this with rawhide sudo and see if the current
problem is in libaudit or sudo? My test program shows the library is working.
Thanks.

#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <libaudit.h>

#define SIZE 10000

int main(void)
{
        int fd, rc;
        char *cmd;

        if ((fd = audit_open()) < 0) {
                printf("failed opening\n");
                return 1;
        }
        cmd = malloc(SIZE);
        memset(cmd, 'A', SIZE);
        cmd[SIZE-1] = 0;
        printf("sending: %s\n", cmd);
        rc = audit_log_user_command(fd, AUDIT_USER, cmd, NULL, 1);
        close(fd);
        printf("rc=%d\n", rc);

        return 0;
}
Comment 5 Joe Nall 2008-03-31 13:43:40 EDT
After reading Steve's comment, I tried the following:

sudo echo `dd if=/dev/urandom bs=1024 count=5` >/tmp/foo

count=5 dies, count=4 doesn't

echo `dd if=/dev/urandom bs=1024 count=20` >/tmp/foo

does not die, so echo is not to blame

Comment 6 Miloslav Trmač 2008-04-01 10:57:20 EDT
>       len = strlen(cmd);
>        // Trim the trailing carriage return and spaces
>        while (len && (cmd[len-1] == 0x0A || cmd[len-1] == ' ')) {
>                cmd[len-1] = 0;
>                len--;
>        }

>        p = cmd;
>        strncpy(commname, cmd, PATH_MAX);
>        commname[PATH_MAX] = 0;

len is still strlen(cmd), not strlen(commname) here.
>        while (*p) {
>                if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) {
>                        _audit_c2x(commname, cmd, len);
If this triggers, it uses 2*len + 1 bytes.
* if the original cmd is larger than PAGE_SIZE, this can overflow by an
  unlimited length
* even if strlen(cmd) <= PAGE_SIZE, commname is one byte too small.
Comment 7 Peter Vrabec 2008-04-01 11:06:41 EDT
thnx. Miloslav, I have just fount the space in the message is the problem. :)
Comment 8 Steve Grubb 2008-04-01 12:49:45 EDT
Ok, audit-1.7-2 was built to solve this problem. I modified the above test
script to add a space at character 10 and it segfaults. Its not crashing with
the new library. It should be in tomorrow's push.
Comment 9 Joe Nall 2008-04-02 16:44:13 EDT
audit-1.7-2 fixes the problem for me. Both the original issue and the test case
Comment 10 Steve Grubb 2008-04-02 17:12:21 EDT
Closing based on test feedback. Thanks Joe for reporting this problem!
Comment 11 Fedora Update System 2008-04-02 18:43:11 EDT
audit-1.6.8-4.fc8 has been submitted as an update for Fedora 8
Comment 12 Fedora Update System 2008-04-09 01:20:50 EDT
audit-1.6.8-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.