From Bugzilla Helper: User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us) AppleWebKit/525.13 (KHTML, like Gecko) Version/3.1 Safari/525.13 Description of problem: [joe@rawhide src2]$ sudo yum -c repos/build-yum.conf localinstall Linux_i386/BUILD/repo/*rpm *** buffer overflow detected ***: sudo terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x48)[0x29e768] /lib/libc.so.6[0x29c880] /lib/libc.so.6(__strcpy_chk+0x44)[0x29bb54] /lib/libaudit.so.0(audit_log_user_command+0x1f8)[0x319f68] sudo[0xb7f2da4d] sudo(main+0x882)[0xb7f20fa2] /lib/libc.so.6(__libc_start_main+0xe6)[0x1bb606] sudo[0xb7f19d31] ======= Memory map: ======== 00110000-0012f000 r-xp 00000000 08:02 6128329 /lib/ld-2.7.90.so 0012f000-00130000 r--p 0001e000 08:02 6128329 /lib/ld-2.7.90.so 00130000-00131000 rw-p 0001f000 08:02 6128329 /lib/ld-2.7.90.so 00131000-00132000 r-xp 00131000 00:00 0 [vdso] 00132000-0014c000 r-xp 00000000 08:02 6128112 /lib/libselinux.so.1 0014c000-0014d000 r--p 00019000 08:02 6128112 /lib/libselinux.so.1 0014d000-0014e000 rw-p 0001a000 08:02 6128112 /lib/libselinux.so.1 0014e000-00151000 r-xp 00000000 08:02 6128347 /lib/libcap.so.2.06 00151000-00152000 rw-p 00003000 08:02 6128347 /lib/libcap.so.2.06 00152000-0015d000 r-xp 00000000 08:02 6127799 /lib/libpam.so.0.81.10 0015d000-0015e000 rw-p 0000a000 08:02 6127799 /lib/libpam.so.0.81.10 0015e000-00161000 r-xp 00000000 08:02 6128333 /lib/libdl-2.7.90.so 00161000-00162000 r--p 00002000 08:02 6128333 /lib/libdl-2.7.90.so 00162000-00163000 rw-p 00003000 08:02 6128333 /lib/libdl-2.7.90.so 00163000-001a3000 r-xp 00000000 08:02 23068816 /usr/lib/libldap-2.4.so.2.0.4 001a3000-001a5000 rw-p 0003f000 08:02 23068816 /usr/lib/libldap-2.4.so.2.0.4 001a5000-0030f000 r-xp 00000000 08:02 6128330 /lib/libc-2.7.90.so 0030f000-00311000 r--p 0016a000 08:02 6128330 /lib/libc-2.7.90.so 00311000-00312000 rw-p 0016c000 08:02 6128330 /lib/libc-2.7.90.so 00312000-00315000 rw-p 00312000 00:00 0 00315000-00329000 r-xp 00000000 08:02 6127769 /lib/libaudit.so.0.0.0 00329000-0032a000 r--p 00013000 08:02 6127769 /lib/libaudit.so.0.0.0 0032a000-0032b000 rw-p 00014000 08:02 6127769 /lib/libaudit.so.0.0.0 0032b000-00339000 r-xp 00000000 08:02 20717071 /usr/lib/liblber-2.4.so.2.0.4 00339000-0033a000 rw-p 0000d000 08:02 20717071 /usr/lib/liblber-2.4.so.2.0.4 0033a000-0034b000 r-xp 00000000 08:02 6128331 /lib/libresolv-2.7.90.so 0034b000-0034c000 r--p 00010000 08:02 6128331 /lib/libresolv-2.7.90.so 0034c000-0034d000 rw-p 00011000 08:02 6128331 /lib/libresolv-2.7.90.so 0034d000-0034f000 rw-p 0034d000 00:00 0 0034f000-00367000 r-xp 00000000 08:02 20717024 /usr/lib/libsasl2.so.2.0.22 00367000-00368000 rw-p 00017000 08:02 20717024 /usr/lib/libsasl2.so.2.0.22 00368000-003af000 r-xp 00000000 08:02 6128205 /lib/libssl.so.0.9.8g 003af000-003b3000 rw-p 00046000 08:02 6128205 /lib/libssl.so.0.9.8g 003b3000-004ea000 r-xp 00000000 08:02 6127727 /lib/libcrypto.so.0.9.8g 004ea000-004fe000 rw-p 00136000 08:02 6127727 /lib/libcrypto.so.0.9.8g 004fe000-00501000 rw-p 004fe000 00:00 0 00501000-0050b000 r-xp 00000000 08:02 6128335 /lib/libcrypt-2.7.90.so 0050b000-0050c000 r--p 00009000 08:02 6128335 /lib/libcrypt-2.7.90.so 0050c000-0050d000 rw-p 0000a000 08:02 6128335 /lib/libcrypt-2.7.90.so 0050d000-00534000 rw-p 0050d000 00:00 0 00534000-00561000 r-xp 00000000 08:02 23068795 /usr/lib/libgssapi_krb5.so.2.2 00561000-00563000 rw-p 0002d000 08:02 23068795 /usr/lib/libgssapi_krb5.so.2.2 00563000-00600000 r-xp 00000000 08:02 23068794 /usr/lib/libkrb5.so.3.3 00600000-00603000 rw-p 0009c000 08:02 23068794 /usr/lib/libkrb5.so.3.3 00603000-00605000 r-xp 00000000 08:02 6128204 /lib/libcom_err.so.2.1 00605000-00606000 rw-p 00001000 08:02 6128204 /lib/libcom_err.so.2.1 00606000-0062a000 r-xp 00000000 08:02 23068793 /usr/lib/libk5crypto.so.3.1 0062a000-0062b000 rw-p 00024000 08:02 23068793 /usr/lib/libk5crypto.so.3.1 0062b000-0063e000 r-xp 00000000 08:02 6127832 /lib/libz.so.1.2.3 0063e000-0063f000 rw-p 00012000 08:02 6127832 /lib/libz.so.1.2.3 0063f000-00647000 r-xp 00000000 08:02 23068792 /usr/lib/libkrb5support.so.0.1 00647000-00648000 rw-p 00007000 08:02 23068792 /usr/lib/libkrb5support.so.0.1 00648000-0064a000 r-xp 00000000 08:02 6128349 /lib/libkeyutils-1.2.so 0064a000-0064b000 rw-p 00001000 08:02 6128349 /lib/libkeyutils-1.2.so 0064b000-00656000 r-xp 00000000 08:02 6127737 /lib/libnss_files-2.7.90.so 00656000-00657000 r--p 0000a000 08:02 6127737 /lib/libnss_files-2.7.90.so 00657000-00658000 rw-p 0000b000 08:02 6127737 /lib/libnss_files-2.7.90.so 00658000-00665000 r-xp 00000000 08:02 6128116 /lib/libgcc_s-4.3.0-20080314.so.1 00665000-00666000 rw-p 0000c000 08:02 6128116 /lib/libgcc_s-4.3.0-20080314.so.1 b7cff000-b7eff000 r--p 00000000 08:02 20715806 /usr/lib/locale/locale-archive b7eff000-b7f05000 rw-p b7eff000 00:00 0 b7f0f000-b7f16000 r--s 00000000 08:02 20744117 /usr/lib/gconv/gconv-modules.cache b7f16000-b7f39000 r-xp 00000000 08:02 20720623 /usr/bin/sudo b7f39000-b7f3a000 rw-p 00023000 08:02 20720623 /usr/bin/sudo b7f3a000-b7f3d000 rw-p b7f3a000 00:00 0 b9949000-b996a000 rw-p b9949000 00:00 0 [heap] bfd20000-bfd38000 rw-p bffe8000 00:00 0 [stack] Aborted [joe@rawhide src2]$ Version-Release number of selected component (if applicable): audit-libs-devel-1.6.9-1.fc9.i386 How reproducible: Always Steps to Reproduce: sudo yum -c repos/build-yum.conf localinstall Linux_i386/BUILD/repo/*rpm with a few hundred rpms Actual Results: Backtrace Expected Results: rpm install Additional info: New behavior. Big update last night that did not include any audit components. Prior to the update, this was not happening. Prior rawhide sync was on the 20th, after which this problem did not occur. sudo-1.6.9p13-3.fc9.i386 was installed last night. Perhaps the change was there.
Sudo was recently updated to log actions run. It looks like the number of args exceeded what was expected. I'll add the fix in a new version of audit that I'm working on right now.
audit-1.7 was built into rawhide today with a fix for the above problem. This should take care of it. Thanks for reporting the bug.
Reopening. No traceback this time, but same result with audit 1.7 [joe@rawhide src2]$ rpm -q audit audit-1.7-1.fc9.i386 [joe@rawhide src2]$ rpm -q audit-libs audit-libs-1.7-1.fc9.i386 Segmentation fault sudo yum -c repos/build-yum.conf $NETOPTS localinstall ${sysdir}/BUILD/repo/*rpm [joe@rawhide src2]$ ls Linux_i386/BUILD/repo/*rpm | wc -l 206
Peter, Would you mind trying to reproduce this with rawhide sudo and see if the current problem is in libaudit or sudo? My test program shows the library is working. Thanks. #include <string.h> #include <unistd.h> #include <stdlib.h> #include <libaudit.h> #define SIZE 10000 int main(void) { int fd, rc; char *cmd; if ((fd = audit_open()) < 0) { printf("failed opening\n"); return 1; } cmd = malloc(SIZE); memset(cmd, 'A', SIZE); cmd[SIZE-1] = 0; printf("sending: %s\n", cmd); rc = audit_log_user_command(fd, AUDIT_USER, cmd, NULL, 1); close(fd); printf("rc=%d\n", rc); return 0; }
After reading Steve's comment, I tried the following: sudo echo `dd if=/dev/urandom bs=1024 count=5` >/tmp/foo count=5 dies, count=4 doesn't echo `dd if=/dev/urandom bs=1024 count=20` >/tmp/foo does not die, so echo is not to blame
> len = strlen(cmd); > // Trim the trailing carriage return and spaces > while (len && (cmd[len-1] == 0x0A || cmd[len-1] == ' ')) { > cmd[len-1] = 0; > len--; > } > p = cmd; > strncpy(commname, cmd, PATH_MAX); > commname[PATH_MAX] = 0; len is still strlen(cmd), not strlen(commname) here. > while (*p) { > if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) { > _audit_c2x(commname, cmd, len); If this triggers, it uses 2*len + 1 bytes. * if the original cmd is larger than PAGE_SIZE, this can overflow by an unlimited length * even if strlen(cmd) <= PAGE_SIZE, commname is one byte too small.
thnx. Miloslav, I have just fount the space in the message is the problem. :)
Ok, audit-1.7-2 was built to solve this problem. I modified the above test script to add a space at character 10 and it segfaults. Its not crashing with the new library. It should be in tomorrow's push.
audit-1.7-2 fixes the problem for me. Both the original issue and the test case
Closing based on test feedback. Thanks Joe for reporting this problem!
audit-1.6.8-4.fc8 has been submitted as an update for Fedora 8
audit-1.6.8-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.