Bug 626067 - Chkrootkit - "Stack Smashing"
Summary: Chkrootkit - "Stack Smashing"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: chkrootkit
Version: 13
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-21 19:16 UTC by Arthur Dent
Modified: 2014-03-17 05:59 UTC (History)
4 users (show)

Fixed In Version: chkrootkit-0.49-3.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1069632 (view as bug list)
Environment:
Last Closed: 2010-10-28 06:10:57 UTC
Type: ---


Attachments (Terms of Use)
Result of ps ax -o "tty,pid,ruser,args" (10.40 KB, application/octet-stream)
2010-10-14 18:19 UTC, Arthur Dent
no flags Details
updated chkrootkit-0.49-chkutmp-outofbounds.patch (1.96 KB, patch)
2010-10-14 20:39 UTC, Michael Schwendt
no flags Details | Diff

Description Arthur Dent 2010-08-21 19:16:53 UTC
Description of problem:

I'm not sure if this is a duplicate of bug 577979 (https://bugzilla.redhat.com/show_bug.cgi?id=577979), but just in case I detail it here...

Just upgraded from F11 to F13. Installed chkrootkit using yum. It installed chkrootkit-0.48-14.fc12.i686.

On each run of chkrootkit it declares:

Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x8bbfcd]
/lib/libc.so.6[0x8bbf7a]
./chkutmp[0x8048b1a]
./chkutmp[0x8048b6c]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7dacc6]
./chkutmp[0x8048681]
======= Memory map: ========
007a2000-007c0000 r-xp 00000000 08:06 67810      /lib/ld-2.12.so
007c0000-007c1000 r--p 0001d000 08:06 67810      /lib/ld-2.12.so
007c1000-007c2000 rw-p 0001e000 08:06 67810      /lib/ld-2.12.so
007c4000-00949000 r-xp 00000000 08:06 68736      /lib/libc-2.12.so
00949000-0094a000 ---p 00185000 08:06 68736      /lib/libc-2.12.so
0094a000-0094c000 r--p 00185000 08:06 68736      /lib/libc-2.12.so
0094c000-0094d000 rw-p 00187000 08:06 68736      /lib/libc-2.12.so
0094d000-00950000 rw-p 00000000 00:00 0 
00a1e000-00a1f000 r-xp 00000000 00:00 0          [vdso]
05408000-05425000 r-xp 00000000 08:06 37890      /lib/libgcc_s-4.4.4-20100630.so.1
05425000-05426000 rw-p 0001d000 08:06 37890      /lib/libgcc_s-4.4.4-20100630.so.1
08048000-0804a000 r-xp 00000000 08:06 272597     /usr/lib/chkrootkit-0.48/chkutmp
0804a000-0804b000 rw-p 00001000 08:06 272597     /usr/lib/chkrootkit-0.48/chkutmp
08462000-08483000 rw-p 00000000 00:00 0          [heap]
b78dc000-b78dd000 rw-p 00000000 00:00 0 
b78ec000-b78ed000 rw-p 00000000 00:00 0 
bf813000-bf98f000 rw-p 00000000 00:00 0          [stack]
/usr/lib/chkrootkit-0.48/chkrootkit: line 172: 18748 Aborted                 (core dumped) ./chkutmp


Version-Release number of selected component (if applicable):

chkrootkit-0.48-14.fc12.i686

How reproducible:
Every Time

Steps to Reproduce:
1. Install Fedora 13
2. Yum install chkrootkit
3. chkrootkit
  
Actual results:

See above

Expected results:


Additional info:

Comment 1 Gwyn Ciesla 2010-08-23 15:01:57 UTC
0.49 is in koji for f14, and should work on f13.  Can you test and see if this fixes your issue?   If so I can build for f13 and push as an update.

Thanks!

http://koji.fedoraproject.org/koji/buildinfo?buildID=162682

Comment 2 Arthur Dent 2010-08-23 18:52:41 UTC
Nope. Sorry. Same problem...

# yum remove chkrootkit

Erasing        : chkrootkit-0.48-14.fc12.i686
Removed:
  chkrootkit.i686 0:0.48-14.fc12                                                                                                                                

Complete!

# rpm -Uvh chkrootkit-0.49-1.fc14.i686.rpm 
Preparing...                ########################################### [100%]
   1:chkrootkit             ########################################### [100%]

# chkrootkit

...

Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... *** stack smashing detected ***: ./chkutmp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x8bbfcd]
/lib/libc.so.6[0x8bbf7a]
./chkutmp[0x8048b22]
./chkutmp[0x8048b6c]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7dacc6]
./chkutmp[0x8048681]
======= Memory map: ========
007a2000-007c0000 r-xp 00000000 08:06 67810      /lib/ld-2.12.so
007c0000-007c1000 r--p 0001d000 08:06 67810      /lib/ld-2.12.so
007c1000-007c2000 rw-p 0001e000 08:06 67810      /lib/ld-2.12.so
007c4000-00949000 r-xp 00000000 08:06 68736      /lib/libc-2.12.so
00949000-0094a000 ---p 00185000 08:06 68736      /lib/libc-2.12.so
0094a000-0094c000 r--p 00185000 08:06 68736      /lib/libc-2.12.so
0094c000-0094d000 rw-p 00187000 08:06 68736      /lib/libc-2.12.so
0094d000-00950000 rw-p 00000000 00:00 0 
00e51000-00e52000 r-xp 00000000 00:00 0          [vdso]
05408000-05425000 r-xp 00000000 08:06 37890      /lib/libgcc_s-4.4.4-20100630.so.1
05425000-05426000 rw-p 0001d000 08:06 37890      /lib/libgcc_s-4.4.4-20100630.so.1
08048000-0804a000 r-xp 00000000 08:06 272588     /usr/lib/chkrootkit-0.49/chkutmp
0804a000-0804b000 rw-p 00001000 08:06 272588     /usr/lib/chkrootkit-0.49/chkutmp
09094000-090b5000 rw-p 00000000 00:00 0          [heap]
b7855000-b7856000 rw-p 00000000 00:00 0 
b7865000-b7866000 rw-p 00000000 00:00 0 
bf7b6000-bf931000 rw-p 00000000 00:00 0          [stack]
/usr/lib/chkrootkit-0.49/chkrootkit: line 195: 28971 Aborted                 (core dumped) ./chkutmp
Checking `OSX_RSPLUG'... not infected

Comment 3 Michael Schwendt 2010-10-13 21:02:51 UTC
*Please* redirect the output of

  ps ax -o "tty,pid,ruser,args"

to a file and attach it.

Comment 4 Michael Schwendt 2010-10-13 21:05:23 UTC
Please also run "debuginfo-install -y chkrootkit" as root user to complete the missing details in the backtrace. (I wonder why ABRT doesn't catch this crash?)

Comment 5 Arthur Dent 2010-10-14 18:19:37 UTC
Created attachment 453526 [details]
Result of ps ax -o "tty,pid,ruser,args"

Comment 6 Arthur Dent 2010-10-14 18:24:10 UTC
Well I ran the debug-info command which installed the following packages:
    glibc-debuginfo-2.12.1-2.i686
    yum-plugin-auto-update-debug-info-1.1.28-1.fc13.noarch

If this should have produced more detailed output from the cron job I'm not sure it worked. Here is the output from last night's run:

*** stack smashing detected ***: ./chkutmp terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x426fdd]
/lib/libc.so.6(+0x389f8a)[0x426f8a]
./chkutmp[0x8048b22]
./chkutmp[0x8048b6c]
/lib/libc.so.6(__libc_start_main+0xe6)[0x345cc6]
./chkutmp[0x8048681]
======= Memory map: ========
0024d000-0026a000 r-xp 00000000 08:06 9530       /lib/libgcc_s-4.4.4-20100630.so.1
0026a000-0026b000 rw-p 0001d000 08:06 9530       /lib/libgcc_s-4.4.4-20100630.so.1
00270000-0028e000 r-xp 00000000 08:06 5744       /lib/ld-2.12.1.so
0028e000-0028f000 r--p 0001d000 08:06 5744       /lib/ld-2.12.1.so
0028f000-00290000 rw-p 0001e000 08:06 5744       /lib/ld-2.12.1.so
0032e000-0032f000 r-xp 00000000 00:00 0          [vdso]
0032f000-004b4000 r-xp 00000000 08:06 5745       /lib/libc-2.12.1.so
004b4000-004b5000 ---p 00185000 08:06 5745       /lib/libc-2.12.1.so
004b5000-004b7000 r--p 00185000 08:06 5745       /lib/libc-2.12.1.so
004b7000-004b8000 rw-p 00187000 08:06 5745       /lib/libc-2.12.1.so
004b8000-004bb000 rw-p 00000000 00:00 0 
08048000-0804a000 r-xp 00000000 08:06 264209     /usr/lib/chkrootkit-0.49/chkutmp
0804a000-0804b000 rw-p 00001000 08:06 264209     /usr/lib/chkrootkit-0.49/chkutmp
09aab000-09acc000 rw-p 00000000 00:00 0          [heap]
b774c000-b774d000 rw-p 00000000 00:00 0 
b775d000-b775e000 rw-p 00000000 00:00 0 
bf850000-bf9cb000 rw-p 00000000 00:00 0          [stack]
/usr/lib/chkrootkit-0.49/chkrootkit: line 195: 18558 Aborted                 (core dumped) ./chkutmp

I have attached the output from the ps command which you can find in the previous comment.

Thanks for your help so far...

Comment 7 Michael Schwendt 2010-10-14 19:30:30 UTC
Odd. For the chkrootkit-0.49 build from koji you would need the corresponding chkrootkit-debuginfo package, though. But perhaps whatever intercepts those crashes on your machine, creates an incomplete backtrace. With the output from "ps" I could not reproduce a crash. Thank you for attaching it.


If you don't mind giving another package a try, here's a scratch-build for Fedora 13 i686 in koji,

   http://koji.fedoraproject.org/koji/taskinfo?taskID=2535549

it includes the fix for bug 577979 and corrects another problem. You may need to "rpm --oldpackage -Uvh ..." it because you've installed a .fc14 package before.

Comment 8 Arthur Dent 2010-10-14 20:23:17 UTC
Well it's so long since I've had a working version I can't remember what the output should look like (!) The output seems a bit shorter than I remember - But with that version I no longer get the stack smashing!

Here's the start and end of the run (I can send the whole output if required). Does it look OK to you?

I think this is progress. Thank you so much!

# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
[Snip...]
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         1783 tty1   /usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-mpm0uP/database -nolisten tcp vt1
chkutmp: nothing deleted
Checking `OSX_RSPLUG'... not infected
#

Comment 9 Michael Schwendt 2010-10-14 20:39:24 UTC
Created attachment 453570 [details]
updated chkrootkit-0.49-chkutmp-outofbounds.patch

combined fixes for bug 577979 and bug 626067

Comment 10 Gwyn Ciesla 2010-10-19 13:00:59 UTC
Thanks!  I'll get this out.

Comment 11 Fedora Update System 2010-10-19 13:38:18 UTC
chkrootkit-0.49-2.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/chkrootkit-0.49-2.fc13

Comment 12 Fedora Update System 2010-10-19 13:38:29 UTC
chkrootkit-0.49-2.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/chkrootkit-0.49-2.fc12

Comment 13 Fedora Update System 2010-10-19 13:38:40 UTC
chkrootkit-0.49-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/chkrootkit-0.49-2.fc14

Comment 14 Fedora Update System 2010-10-20 03:09:27 UTC
chkrootkit-0.49-2.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update chkrootkit'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/chkrootkit-0.49-2.fc14

Comment 15 Fedora Update System 2010-10-28 06:10:46 UTC
chkrootkit-0.49-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2010-10-28 22:19:04 UTC
chkrootkit-0.49-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2010-10-28 22:19:25 UTC
chkrootkit-0.49-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Ian Forde 2012-01-24 05:45:52 UTC
RHEL5 chkrootkit from EPEL is still version 0.49-1 and appears to suffer from this problem, at least cosmeticaly.  Can this patch please be applied there too?

Comment 19 Fedora Update System 2014-02-25 22:18:35 UTC
chkrootkit-0.49-3.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/chkrootkit-0.49-3.el5

Comment 20 Fedora Update System 2014-02-25 22:18:49 UTC
chkrootkit-0.49-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/chkrootkit-0.49-3.el6

Comment 21 Fedora Update System 2014-03-17 05:59:07 UTC
chkrootkit-0.49-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2014-03-17 05:59:24 UTC
chkrootkit-0.49-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.