Bug 556664 - buffer overflow in star
buffer overflow in star
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: star (Show other bugs)
12
x86_64 Linux
low Severity high
: ---
: ---
Assigned To: Ondrej Vasik
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 561503
  Show dependency treegraph
 
Reported: 2010-01-18 20:09 EST by Unused account - please delete
Modified: 2010-02-09 00:11 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.5-9.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 561503 (view as bug list)
Environment:
Last Closed: 2010-02-09 00:11:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenlog of a gdb session (2.26 KB, application/octet-stream)
2010-01-19 06:11 EST, Unused account - please delete
no flags Details
Patch to fix buffer overflow for files with length = 100 (1.12 KB, patch)
2010-01-19 09:26 EST, Ondrej Vasik
no flags Details | Diff
Patch to fix the buffer overflow. (448 bytes, patch)
2010-02-03 08:49 EST, Ondrej Vasik
no flags Details | Diff

  None (edit)
Description Unused account - please delete 2010-01-18 20:09:11 EST
Description of problem:
After upgrading to F12, running star to create a backup always results in a crash, reporting a buffer overflow (selinux: enforcing, targeted-policy)

Version-Release number of selected component (if applicable):
star-1.5-8.fc12.x86_64

How reproducible:
always

Steps to Reproduce:
1. run (as root): star -c -H=exustar -xattr -file=/mnt/bak/87.106.208.227-_-20100119004527.star.bz2 -xdev -FFF -j -C / .
2. wait approx 1 min.
3.
  
Actual results:
After writing approx 40MB of data to the specified archive, star crashes with the following message:
*** buffer overflow detected ***: star terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x39826f75e7]
/lib64/libc.so.6[0x39826f5600]
star[0x424c90]
star[0x415fc6]
star[0x416cb6]
======= Memory map: ========
00400000-0044c000 r-xp 00000000 09:02 256855                             /usr/bin/star
0064b000-0064e000 rw-p 0004b000 09:02 256855                             /usr/bin/star
0064e000-00672000 rw-p 00000000 00:00 0
0084d000-0084f000 rw-p 0004d000 09:02 256855                             /usr/bin/star
00bbc000-00bdd000 rw-p 00000000 00:00 0                                  [heap]
3982200000-398221e000 r-xp 00000000 09:01 117000                         /lib64/ld-2.11.1.so
398241d000-398241e000 r--p 0001d000 09:01 117000                         /lib64/ld-2.11.1.so
398241e000-398241f000 rw-p 0001e000 09:01 117000                         /lib64/ld-2.11.1.so
398241f000-3982420000 rw-p 00000000 00:00 0
3982600000-398276f000 r-xp 00000000 09:01 117001                         /lib64/libc-2.11.1.so
398276f000-398296f000 ---p 0016f000 09:01 117001                         /lib64/libc-2.11.1.so
398296f000-3982973000 r--p 0016f000 09:01 117001                         /lib64/libc-2.11.1.so
3982973000-3982974000 rw-p 00173000 09:01 117001                         /lib64/libc-2.11.1.so
3982974000-3982979000 rw-p 00000000 00:00 0
3982e00000-3982e02000 r-xp 00000000 09:01 117007                         /lib64/libdl-2.11.1.so
3982e02000-3983002000 ---p 00002000 09:01 117007                         /lib64/libdl-2.11.1.so
3983002000-3983003000 r--p 00002000 09:01 117007                         /lib64/libdl-2.11.1.so
3983003000-3983004000 rw-p 00003000 09:01 117007                         /lib64/libdl-2.11.1.so
3983a00000-3983a1c000 r-xp 00000000 09:01 117058                         /lib64/libselinux.so.1
3983a1c000-3983c1b000 ---p 0001c000 09:01 117058                         /lib64/libselinux.so.1
3983c1b000-3983c1c000 r--p 0001b000 09:01 117058                         /lib64/libselinux.so.1
3983c1c000-3983c1d000 rw-p 0001c000 09:01 117058                         /lib64/libselinux.so.1
3983c1d000-3983c1e000 rw-p 00000000 00:00 0
3984600000-3984616000 r-xp 00000000 09:01 117055                         /lib64/libgcc_s-4.4.2-20091222.so.1
3984616000-3984815000 ---p 00016000 09:01 117055                         /lib64/libgcc_s-4.4.2-20091222.so.1
3984815000-3984816000 rw-p 00015000 09:01 117055                         /lib64/libgcc_s-4.4.2-20091222.so.1
3986200000-3986207000 r-xp 00000000 09:01 117064                         /lib64/libacl.so.1.1.0
3986207000-3986407000 ---p 00007000 09:01 117064                         /lib64/libacl.so.1.1.0
3986407000-3986408000 rw-p 00007000 09:01 117064                         /lib64/libacl.so.1.1.0
3986600000-3986604000 r-xp 00000000 09:01 117060                         /lib64/libattr.so.1.1.0
3986604000-3986803000 ---p 00004000 09:01 117060                         /lib64/libattr.so.1.1.0
3986803000-3986804000 rw-p 00003000 09:01 117060                         /lib64/libattr.so.1.1.0
7f3f8cfbb000-7f3f8cfc7000 r-xp 00000000 09:01 117054                     /lib64/libnss_files-2.11.1.so
7f3f8cfc7000-7f3f8d1c6000 ---p 0000c000 09:01 117054                     /lib64/libnss_files-2.11.1.so
7f3f8d1c6000-7f3f8d1c7000 r--p 0000b000 09:01 117054                     /lib64/libnss_files-2.11.1.so
7f3f8d1c7000-7f3f8d1c8000 rw-p 0000c000 09:01 117054                     /lib64/libnss_files-2.11.1.so
7f3f8d1c8000-7f3f8d9ce000 rw-s 00000000 00:08 2097363                    /dev/zero (deleted)
7f3f8d9ce000-7f3f8d9d2000 rw-p 00000000 00:00 0
7f3f8d9e2000-7f3f8d9e4000 rw-p 00000000 00:00 0
7fff891db000-7fff89218000 rw-p 00000000 00:00 0                          [stack]
7fff893f7000-7fff893f8000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


Expected results:
star does not crash

Additional info:
selinux settings are pretty much standard. I tried enabling allow_execheap and allow_execmod without succes (exacly same crash-report)

-Fritz
Comment 1 Ondrej Vasik 2010-01-19 01:47:15 EST
Thanks for report, fortify fails buffer overflows in F-11/F-12 are usually caused by new fortify_sources checks in glibc/gcc - previously valid source code now crashes. 
I'll try to check that one. Btw. in F-12 there is nice tool ABRT for reporting such issues/crash bug reports - it tries to download required debuginfo packages which makes the backtrace much more useful.
Comment 2 Unused account - please delete 2010-01-19 06:10:54 EST
Sorry for missing that (this is a stripped-down server installation (specifically: without a running dbus - which AFAIK is required by abrtd). However in the meantime, i installed the relevant debuginfo and ran a gdm session manually. Attached is a gzipped screenlog of that gdb session. This reveals the bug: Apparently there are some remnants in the code from the old tar days where the path limit was still 100 chars. As soon as a file with a path length > 100 chars (in this specific case: 101 chars) is to be archived, the bug hits.
Comment 3 Unused account - please delete 2010-01-19 06:11:51 EST
Created attachment 385387 [details]
screenlog of a gdb session
Comment 4 Unused account - please delete 2010-01-19 06:13:25 EST
Oops, typo in my previous message: s/gdm/gdb/
Comment 5 Unused account - please delete 2010-01-19 06:20:38 EST
.. And another mistake by me: the path in question is *exactly* 100 chars, *not* 101....
Comment 6 Ondrej Vasik 2010-01-19 08:42:09 EST
Ok, I could reproduce it. You are right - star (in longnames.c) is trying to copy shortname (100 chars of path) to the buffer - which is only 100 bytes - so the null terminator seems to cause buffer overflow in the case of files with the length 100+. Just fixing this off-by-one issue seems to solve the problem, but I would like to check it a bit more to see if my patch is really good way to solve the problem.
Comment 7 Ondrej Vasik 2010-01-19 09:26:26 EST
Created attachment 385409 [details]
Patch to fix buffer overflow for files with length = 100

This is the patch which is fixing the buffer overflow issue for me. But I have to check if it is correct way to solve the issue.
Comment 8 Unused account - please delete 2010-01-19 09:46:24 EST
I'm rebuilding the RPM here with this patch right now. I'll let you know how it works out on my machine later ...
Comment 9 Unused account - please delete 2010-01-19 21:01:42 EST
Ok, looks good. Complete backup of 200G finished without any prob.
Thanks for the fast response and fix.
 -Fritz
Comment 10 Ondrej Vasik 2010-01-20 01:27:54 EST
Thanks for confirmation of the fix - I'll check it for some corner cases to ensure myself that it is not breaking some functionality / bringing some regression and then I'll make star update.
Comment 11 Andre Robatino 2010-02-02 09:34:02 EST
What is the status of this?  I seem to be hitting it repeatedly - I checked one of the files it hit just before crashing and it's exactly 100 characters.
Comment 12 Ondrej Vasik 2010-02-02 10:20:04 EST
Patch fixing issue for startype headers is attached to that bugzilla ... but that's possibly not the right way to fix the issue. Problem is that for pax, ustar, suntar, xstar, xustar, exustar, star have the limit for shortname the same as the buffer size - which causes buffer overflow with new glibc fortify_sources checks. Formats gnutar, tar a v7tar header types should be safe without my patch - as they have 99+XXX format. However - they are affected by my patch - as I fix off-by-one problem even for them - which causes longname complains for 99 chars long name which is completely valid.
The names should be split 100(+155 usually) in star-type formats. Buffer for shortname is 100 bytes - therefore with length 100 you have no \0 terminator there - and strcpy just causes buffer overflow error. Probably using strncpy should be better way of solving that issue, but I have to check if it works correctly for all the formats (current patch does not and changes to headers would mean breaking specifications)...
Comment 13 Fedora Update System 2010-02-03 08:06:03 EST
star-1.5-9.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/star-1.5-9.fc12
Comment 14 Ondrej Vasik 2010-02-03 08:49:16 EST
Created attachment 388531 [details]
Patch to fix the buffer overflow.
Comment 15 Fedora Update System 2010-02-04 20:17:34 EST
star-1.5-9.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update star'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1424
Comment 16 Fedora Update System 2010-02-09 00:11:27 EST
star-1.5-9.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.