This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 511035 - strace internal memory corruption
strace internal memory corruption
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: strace (Show other bugs)
11
All Linux
low Severity high
: ---
: ---
Assigned To: Roland McGrath
Fedora Extras Quality Assurance
:
: 502218 (view as bug list)
Depends On:
Blocks: 516995
  Show dependency treegraph
 
Reported: 2009-07-13 07:53 EDT by alan
Modified: 2009-11-12 21:35 EST (History)
5 users (show)

See Also:
Fixed In Version: 4.5.19-1.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-12 21:33:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description alan 2009-07-13 07:53:13 EDT
Description of problem: strace has internal memory allocation bugs (trace below)

To reproduce:
strace -ff -o /tmp/wombat kdesu /bin/ls

works for me as a reproducer on both FC10 and FC11
[4.5.18.1.fc10]

This one is actually quite nasty because it means it may be possible to construct an attack vector
that waits for an admin to do the typical "strace -p suspicious-process"



*** glibc detected *** strace: malloc(): memory corruption (fast): 0x0000000001d18da0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3083677ec8]
/lib64/libc.so.6[0x308367b561]
/lib64/libc.so.6(__libc_malloc+0x98)[0x308367ca38]
strace[0x408728]
strace[0x40598e]
strace[0x404696]
/lib64/libc.so.6(__libc_start_main+0xe6)[0x308361e576]
strace[0x401e69]
======= Memory map: ========
00400000-00447000 r-xp 00000000 09:03 3584297                            /usr/bin/strace
00647000-00648000 rw-p 00047000 09:03 3584297                            /usr/bin/strace
00648000-00656000 rw-p 00648000 00:00 0 
00847000-00848000 rw-p 00047000 09:03 3584297                            /usr/bin/strace
01d18000-01d39000 rw-p 01d18000 00:00 0                                  [heap]
3082200000-3082220000 r-xp 00000000 09:03 5996550                        /lib64/ld-2.9.so
308241f000-3082420000 r--p 0001f000 09:03 5996550                        /lib64/ld-2.9.so
3082420000-3082421000 rw-p 00020000 09:03 5996550                        /lib64/ld-2.9.so
3083600000-3083768000 r-xp 00000000 09:03 5996573                        /lib64/libc-2.9.so
3083768000-3083968000 ---p 00168000 09:03 5996573                        /lib64/libc-2.9.so
3083968000-308396c000 r--p 00168000 09:03 5996573                        /lib64/libc-2.9.so
308396c000-308396d000 rw-p 0016c000 09:03 5996573                        /lib64/libc-2.9.so
308396d000-3083972000 rw-p 308396d000 00:00 0 
308a200000-308a216000 r-xp 00000000 09:03 5997170                        /lib64/libgcc_s-4.3.2-20081105.so.1
308a216000-308a416000 ---p 00016000 09:03 5997170                        /lib64/libgcc_s-4.3.2-20081105.so.1
308a416000-308a417000 rw-p 00016000 09:03 5997170                        /lib64/libgcc_s-4.3.2-20081105.so.1
7f1c44000000-7f1c44021000 rw-p 7f1c44000000 00:00 0 
7f1c44021000-7f1c48000000 ---p 7f1c44021000 00:00 0 
7f1c4b963000-7f1c4b965000 rw-p 7f1c4b963000 00:00 0 
7f1c4b98c000-7f1c4b98f000 rw-p 7f1c4b98c000 00:00 0 
7fffd5d9b000-7fffd5db0000 rw-p 7ffffffea000 00:00 0                      [stack]
7fffd5de8000-7fffd5de9000 r-xp 7fffd5de8000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted
Comment 1 Michal Nowak 2009-08-14 10:41:27 EDT
Following trace is for strace-4.5.18-2.fc11.x86_64, but it works fine with current Git. Should be fixed when strace upstream settles down and produce new version.



Core was generated by `strace -ff -o /tmp/wombat kdesu /bin/ls'.
Program terminated with signal 6, Aborted.
#0  0x000000346ac332f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
Current language:  auto; currently minimal

Thread 1 (Thread 18123):
#0  0x000000346ac332f5 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        pid = <value optimized out>
        selftid = <value optimized out>
#1  0x000000346ac34b20 in *__GI_abort () at abort.c:88
        act = {__sigaction_handler = {sa_handler = 0x600000008, sa_sigaction = 0x600000008}, sa_mask = {
            __val = {140735744234608, 140735744234464, 140735744234656, 140735744239942, 6, 225130530316, 3, 
              140735744234666, 6, 225130530320, 2, 140735744234654, 2, 225130521557, 1, 225130530316}}, 
          sa_flags = 3, sa_restorer = 0x7fff980ad4a6}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x000000346ac7005d in __libc_message (do_abort=2, 
    fmt=0x7fff980ad6d0 " /lib64/libc-2.10.1.so\n346af69000-346af6e000 rw-p 346af69000 00:00 0 \n3472400000-3472419000 r-xp 00000000 fd:01 2891362", ' ' <repeats 24 times>, "/lib64/libgcc_s-4.4.1-20090729.so.1\n3472419000-3472619000"...) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff980ade00, 
            reg_save_area = 0x7fff980add10}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff980ade00, 
            reg_save_area = 0x7fff980add10}}
        fd = 6
        on_2 = <value optimized out>
        list = <value optimized out>
        nlist = <value optimized out>
        cp = <value optimized out>
        written = 6
#3  0x000000346ac75a96 in malloc_printerr (action=3, str=0x346ad35f60 "munmap_chunk(): invalid pointer", 
    ptr=<value optimized out>) at malloc.c:6217
        buf = "0000000002286da0"
        cp = 0x346ad2c140 "0123456789abcdefghijklmnopqrstuvwxyz"
#4  0x000000346ac660dd in _IO_new_fclose (fp=0x2286da0) at iofclose.c:88
        status = 0
#5  0x0000000000402396 in droptcb (tcp=0x2286200) at strace.c:1337
No locals.
#6  0x000000000040288a in detach (tcp=0x2286200, sig=<value optimized out>) at strace.c:1570
        error = <value optimized out>
        status = 0
        catch_sigstop = 0
        zombie = 0x0
#7  0x0000000000403c14 in trace () at strace.c:2494
        pid = 18128
        wait_errno = <value optimized out>
        status = 1407
        tcp = 0x2286200
        ru = {ru_utime = {tv_sec = 96, tv_usec = 0}, ru_stime = {tv_sec = 0, tv_usec = 0}, ru_maxrss = 64, 
          ru_ixrss = 0, ru_idrss = 0, ru_isrss = 67108864, ru_minflt = 225129476976, ru_majflt = 0, 
          ru_nswap = 0, ru_inblock = 0, ru_oublock = 0, ru_msgsnd = 0, ru_msgrcv = 0, ru_nsignals = 0, 
          ru_nvcsw = 0, ru_nivcsw = 0}
        wait4_options = 1073741824
#8  0x0000000000404743 in main (argc=<value optimized out>, argv=0x7fff980ae178) at strace.c:879
        tcp = <value optimized out>
        c = <value optimized out>
        pid = <value optimized out>
        optF = <value optimized out>
        sa = {__sigaction_handler = {sa_handler = 0, sa_sigaction = 0}, sa_mask = {__val = {
              0 <repeats 16 times>}}, sa_flags = 0, sa_restorer = 0}
        buf = '\0' <repeats 8191 times>
Comment 2 Andreas Schwab 2009-08-18 12:02:42 EDT
*** Bug 502218 has been marked as a duplicate of this bug. ***
Comment 3 Dmitry V. Levin 2009-09-18 20:06:37 EDT
This issue was fixed in upstream git long time ago, see http://strace.git.sourceforge.net/git/gitweb.cgi?p=strace/strace;h=v4.5.18-17-ga501f14
Comment 4 Fedora Update System 2009-10-21 14:09:31 EDT
strace-4.5.19-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/strace-4.5.19-1.fc10
Comment 5 Fedora Update System 2009-10-21 14:10:08 EDT
strace-4.5.19-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/strace-4.5.19-1.fc11
Comment 6 Fedora Update System 2009-10-27 02:33:14 EDT
strace-4.5.19-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update strace'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-10733
Comment 7 Fedora Update System 2009-10-27 03:14:06 EDT
strace-4.5.19-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update strace'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-10843
Comment 8 Fedora Update System 2009-11-12 21:33:09 EST
strace-4.5.19-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2009-11-12 21:34:30 EST
strace-4.5.19-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.