Bug 983542 - oscap --version terminated for smack stacking
Summary: oscap --version terminated for smack stacking
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openscap
Version: 5.10
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Peter Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-11 12:08 UTC by Lukas "krteknet" Novy
Modified: 2018-12-03 19:19 UTC (History)
8 users (show)

Fixed In Version: openscap-0.9.11-1.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-02 09:10:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Lukas "krteknet" Novy 2013-07-11 12:08:36 UTC
Description of problem:
During testing new oscap for regressions I found that running oscap --version noninteractively (exact condition in progress) causes it to abort with *** stack smashing detected ***: oscap terminated

Version-Release number of selected component (if applicable):
openscap-0.9.8-1.el5

How reproducible:
Investigating

Steps to Reproduce:
1. Run oscap --version
2. Check for exit code

Actual results:
Exit code 0

Expected results:
Nonzero exit code and *** stack smashing detected ***: oscap terminated

Additional info:

Comment 2 Daniel Kopeček 2013-07-11 12:15:03 UTC
(In reply to Lukas -krtek.net- Novy from comment #0)
> Description of problem:
> During testing new oscap for regressions I found that running oscap
> --version noninteractively (exact condition in progress) causes it to abort
> with *** stack smashing detected ***: oscap terminated
> 
> Version-Release number of selected component (if applicable):
> openscap-0.9.8-1.el5
> 
> How reproducible:
> Investigating
> 
> Steps to Reproduce:
> 1. Run oscap --version
> 2. Check for exit code
> 
> Actual results:
> Exit code 0
> 
> Expected results:
> Nonzero exit code and *** stack smashing detected ***: oscap terminated
> 
> Additional info:

Please run it through gdb and provide a backtrace. Thanks.

Comment 3 Lukas "krteknet" Novy 2013-07-11 13:01:19 UTC
Reproducibily doesn't depend on noninteractively, at least on ppc64

#0  0x0f396320 in raise () from /lib/libc.so.6
#1  0x0f398024 in abort () from /lib/libc.so.6
#2  0x0f3d79a4 in __libc_message () from /lib/libc.so.6
#3  0x0f46fc68 in __stack_chk_fail () from /lib/libc.so.6
#4  0x0ff978e4 in ?? () from /usr/lib/libopenscap.so.3
#5  0x0ff32b38 in oval_probe_meta_list () from /usr/lib/libopenscap.so.3
#6  0x10005cd8 in ?? ()
#7  0x100060a8 in ?? ()
#8  0x10006e60 in ?? ()
#9  0x10005f94 in ?? ()
#10 0x0f37de20 in generic_start_main () from /lib/libc.so.6
#11 0x0f37e060 in __libc_start_main () from /lib/libc.so.6
#12 0x00000000 in ?? ()

Comment 4 Daniel Kopeček 2013-07-11 13:05:37 UTC
(In reply to Lukas -krtek.net- Novy from comment #3)
> Reproducibily doesn't depend on noninteractively, at least on ppc64
> 
> #0  0x0f396320 in raise () from /lib/libc.so.6
> #1  0x0f398024 in abort () from /lib/libc.so.6
> #2  0x0f3d79a4 in __libc_message () from /lib/libc.so.6
> #3  0x0f46fc68 in __stack_chk_fail () from /lib/libc.so.6
> #4  0x0ff978e4 in ?? () from /usr/lib/libopenscap.so.3
> #5  0x0ff32b38 in oval_probe_meta_list () from /usr/lib/libopenscap.so.3
> #6  0x10005cd8 in ?? ()
> #7  0x100060a8 in ?? ()
> #8  0x10006e60 in ?? ()
> #9  0x10005f94 in ?? ()
> #10 0x0f37de20 in generic_start_main () from /lib/libc.so.6
> #11 0x0f37e060 in __libc_start_main () from /lib/libc.so.6
> #12 0x00000000 in ?? ()

Thanks. Is that with openscap's debuginfo loaded? Also, would it be possible to run it through valgrind? It could give us some more hints.

Comment 5 Lukas "krteknet" Novy 2013-07-11 13:12:39 UTC
with debuginfo:
#0  0x0f396320 in raise () from /lib/libc.so.6
#1  0x0f398024 in abort () from /lib/libc.so.6
#2  0x0f3d79a4 in __libc_message () from /lib/libc.so.6
#3  0x0f46fc68 in __stack_chk_fail () from /lib/libc.so.6
#4  0x0ff978e4 in __stack_chk_fail_local () from /usr/lib/libopenscap.so.3
#5  0x0ff32b38 in oval_probe_meta_list (output=0xf5003f8, flags=-1190863) at oval_probe.c:651
#6  0x10005cd8 in ?? ()
#7  0x100060a8 in ?? ()
#8  0x10006e60 in ?? ()
#9  0x10005f94 in ?? ()
#10 0x0f37de20 in generic_start_main () from /lib/libc.so.6
#11 0x0f37e060 in __libc_start_main () from /lib/libc.so.6
#12 0x00000000 in ?? ()


through valgrind:
valgrind: Bad option '--leak-check=fill'; aborting.
valgrind: Use --help for more information.
[root@ibm-js21-01 ~]# valgrind -v --leak-check=full `which oscap` --version
==3733== Memcheck, a memory error detector
==3733== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==3733== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==3733== Command: /usr/bin/oscap --version
==3733== 
--3733-- Valgrind options:
--3733--    -v
--3733--    --leak-check=full
--3733-- Contents of /proc/version:
--3733--   Linux version 2.6.18-363.el5 (mockbuild.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-54)) #1 SMP Mon Jun 24 11:53:19 EDT 2013
--3733-- Arch and hwcaps: PPC32, ppc32-int-flt-vmx-FX-GX
--3733-- Page sizes: currently 65536, max supported 65536
--3733-- Valgrind library directory: /usr/lib/valgrind
--3733-- Reading syms from /lib/ld-2.5.so (0x4400000)
--3733-- Reading syms from /usr/bin/oscap (0x10000000)
--3733-- Reading debug info from /usr/lib/debug/usr/bin/oscap.debug ..
--3733-- .. CRC mismatch (computed bbe81047 wanted b82e5e4c)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/valgrind/memcheck-ppc32-linux (0x38000000)
--3733--    object doesn't have a dynamic symbol table
--3733-- Reading suppressions file: /usr/lib/valgrind/default.supp
--3733-- REDIR: 0x44195a0 (strlen) redirected to 0x38049684 (vgPlain_ppc32_linux_REDIR_FOR_strlen)
--3733-- REDIR: 0x44194b0 (strcmp) redirected to 0x380496ac (vgPlain_ppc32_linux_REDIR_FOR_strcmp)
--3733-- REDIR: 0x44193d0 (index) redirected to 0x38049720 (vgPlain_ppc32_linux_REDIR_FOR_strchr)
--3733-- Reading syms from /usr/lib/valgrind/vgpreload_core-ppc32-linux.so (0xffd0000)
--3733-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-ppc32-linux.so (0xffa0000)
--3733-- REDIR: 0x4419a80 (bcmp) redirected to 0xffa6100 (bcmp)
--3733-- REDIR: 0x441ae60 (memcpy) redirected to 0xffa80c0 (memcpy)
--3733-- REDIR: 0x441ac20 (mempcpy) redirected to 0xffa7650 (mempcpy)
--3733-- Reading syms from /usr/lib/libopenscap.so.3.3.0 (0xfe80000)
--3733-- Reading debug info from /usr/lib/debug/usr/lib/libopenscap.so.3.3.0.debug ..
--3733-- Reading syms from /usr/lib/libcurl.so.3.0.0 (0xfe10000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libgssapi_krb5.so.2.2 (0xfdb0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libkrb5.so.3.3 (0xfce0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libk5crypto.so.3.1 (0xfc90000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libcom_err.so.2.1 (0xfc60000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libidn.so.11.5.19 (0xfc00000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libssl.so.0.9.8e (0xfb90000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libcrypto.so.0.9.8e (0xfa00000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libexslt.so.0.8.13 (0xf9c0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libxslt.so.1.1.17 (0xf960000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libgcrypt.so.11.5.2 (0xf8b0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libdl-2.5.so (0xf870000)
--3733-- Reading syms from /usr/lib/libgpg-error.so.0.3.0 (0xf840000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libpthread-2.5.so (0xf7f0000)
--3733-- Reading syms from /lib/librt-2.5.so (0xf7b0000)
--3733-- Reading syms from /lib/libpcre.so.0.0.1 (0xf770000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /usr/lib/libxml2.so.2.6.26 (0xf5f0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libz.so.1.2.3 (0xf5b0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libm-2.5.so (0xf4c0000)
--3733-- Reading syms from /lib/libc-2.5.so (0xf300000)
--3733-- Reading syms from /usr/lib/libkrb5support.so.0.1 (0xf2d0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libkeyutils-1.2.so (0xf2a0000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libresolv-2.5.so (0xf250000)
--3733-- Reading syms from /lib/libselinux.so.1 (0xf200000)
--3733--    object doesn't have a symbol table
--3733-- Reading syms from /lib/libsepol.so.1 (0xf190000)
--3733--    object doesn't have a symbol table
--3733-- REDIR: 0xf38c360 (memset) redirected to 0xffa6190 (memset)
--3733-- REDIR: 0xf38ce20 (memcpy) redirected to 0xffa82d0 (memcpy)
--3733-- REDIR: 0xf38aa60 (rindex) redirected to 0xffa56f0 (rindex)
--3733-- REDIR: 0xf3856c0 (malloc) redirected to 0xffa4558 (malloc)
--3733-- REDIR: 0xf38b2b0 (memchr) redirected to 0xffa5f60 (memchr)
--3733-- REDIR: 0xf38cc50 (strncasecmp) redirected to 0xffa7020 (strncasecmp)
--3733-- REDIR: 0xf38a7e0 (strncmp) redirected to 0xffa5ce0 (strncmp)
--3733-- REDIR: 0xf38a518 (strlen) redirected to 0xffa5c20 (strlen)
--3733-- REDIR: 0xf382b10 (free) redirected to 0xffa3fd8 (free)
--3733-- REDIR: 0xf38c5a0 (mempcpy) redirected to 0xffa77b0 (mempcpy)
--3733-- REDIR: 0xf385e40 (realloc) redirected to 0xffa464c (realloc)
--3733-- REDIR: 0xf389cb0 (index) redirected to 0xffa5820 (index)
--3733-- REDIR: 0xf38a980 (strncpy) redirected to 0xffa84e0 (strncpy)
--3733-- REDIR: 0xf389d90 (strcmp) redirected to 0xffa5db0 (strcmp)
OSCAP util (oscap) 0.9.8
Copyright 2009--2013 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
XCCDF Version: 1.2
OVAL Version: 5.10.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1

==== Paths ====
Schema files: /usr/share/openscap/schemas
Schematron files: /usr/share/openscap/xsl
Default CPE files: /usr/share/openscap/cpe
Probes: /usr/libexec/openscap

==== Inbuilt CPE names ====
--3733-- REDIR: 0xf389ec0 (strcpy) redirected to 0xffa8680 (strcpy)
--3733-- REDIR: 0xf38b400 (bcmp) redirected to 0xffa6070 (bcmp)
--3733-- REDIR: 0xf38bef0 (memmove) redirected to 0xffa6210 (memmove)
--3733-- REDIR: 0xf3851d0 (calloc) redirected to 0xffa32dc (calloc)
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Fedora 16 - cpe:/o:fedoraproject:fedora:16
Fedora 17 - cpe:/o:fedoraproject:fedora:17
Fedora 18 - cpe:/o:fedoraproject:fedora:18
Fedora 19 - cpe:/o:fedoraproject:fedora:19

==== Supported OVAL objects and associated OpenSCAP probes ====
system_info                  probe_system_info           
family                       probe_family                
filehash                     probe_filehash              
environmentvariable          probe_environmentvariable   
textfilecontent54            probe_textfilecontent54     
textfilecontent              probe_textfilecontent       
variable                     probe_variable              
xmlfilecontent               probe_xmlfilecontent        
environmentvariable58        probe_environmentvariable58 
filehash58                   probe_filehash58            
inetlisteningservers         probe_inetlisteningservers  
rpminfo                      probe_rpminfo               
partition                    probe_partition             
iflisteners                  probe_iflisteners           
rpmverify                    probe_rpmverify             
rpmverifyfile                probe_rpmverifyfile         
rpmverifypackage             probe_rpmverifypackage      
selinuxboolean               probe_selinuxboolean        
selinuxsecuritycontext       probe_selinuxsecuritycontext
file                         probe_file                  
interface                    probe_interface             
password                     probe_password              
process                      probe_process               
runlevel                     probe_runlevel              
shadow                       probe_shadow                
uname                        probe_uname                 
xinetd                       probe_xinetd                
sysctl                       probe_sysctl                
process58                    probe_process58             
fileextendedattribute        probe_fileextendedattribute 
routingtable                 probe_routingtable          
--3733-- REDIR: 0xf38dd50 (strchrnul) redirected to 0xffa62b0 (strchrnul)
*** stack smashing detected ***: /usr/bin/oscap terminated
==3733== 
==3733== Process terminating with default action of signal 6 (SIGABRT): dumping core
==3733==    at 0xF336320: raise (in /lib/libc-2.5.so)
==3733==    by 0xF338023: abort (in /lib/libc-2.5.so)
==3733==    by 0xF3779A3: __libc_message (in /lib/libc-2.5.so)
==3733==    by 0xF40FC67: __stack_chk_fail (in /lib/libc-2.5.so)
==3733==    by 0xFF378E3: __stack_chk_fail_local (in /usr/lib/libopenscap.so.3.3.0)
==3733==    by 0xFED2B37: oval_probe_meta_list (oval_probe.c:651)
==3733==    by 0x10005CD7: ??? (in /usr/bin/oscap)
==3733==    by 0x100060A7: ??? (in /usr/bin/oscap)
==3733==    by 0x10006E5F: ??? (in /usr/bin/oscap)
==3733==    by 0x10005F93: ??? (in /usr/bin/oscap)
==3733==    by 0xF31DE1F: (below main) (in /lib/libc-2.5.so)
==3733== 
==3733== HEAP SUMMARY:
==3733==     in use at exit: 7,150 bytes in 289 blocks
==3733==   total heap usage: 846 allocs, 557 frees, 205,738 bytes allocated
==3733== 
==3733== Searching for pointers to 289 not-freed blocks
==3733== Checked 2,111,184 bytes
==3733== 
==3733== LEAK SUMMARY:
==3733==    definitely lost: 0 bytes in 0 blocks
==3733==    indirectly lost: 0 bytes in 0 blocks
==3733==      possibly lost: 0 bytes in 0 blocks
==3733==    still reachable: 7,150 bytes in 289 blocks
==3733==         suppressed: 0 bytes in 0 blocks
==3733== Reachable blocks (those to which a pointer was found) are not shown.
==3733== To see them, rerun with: --leak-check=full --show-reachable=yes
==3733== 
==3733== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 7 from 5)
--3733-- 
--3733-- used_suppression:      3 dl-hack3
--3733-- used_suppression:      4 dl-hack1
==3733== 
==3733== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 7 from 5)
Aborted

Comment 6 Lukas "krteknet" Novy 2013-07-11 13:32:24 UTC
version 0.9.9
#0  0x0f396320 in raise () from /lib/libc.so.6
#1  0x0f398024 in abort () from /lib/libc.so.6
#2  0x0f3d79a4 in __libc_message () from /lib/libc.so.6
#3  0x0f46fc68 in __stack_chk_fail () from /lib/libc.so.6
#4  0x0ff99c84 in __stack_chk_fail_local () from /usr/lib/libopenscap.so.3
#5  0x0ff33358 in oval_probe_meta_list (output=0xf5003f8, flags=-6171599) at oval_probe.c:509
#6  0x10005d18 in ?? ()
#7  0x100060e8 in ?? ()
#8  0x10006ea0 in ?? ()
#9  0x10005fd4 in ?? ()
#10 0x0f37de20 in generic_start_main () from /lib/libc.so.6
#11 0x0f37e060 in __libc_start_main () from /lib/libc.so.6
#12 0x00000000 in ?? ()


from ppc64 version 0.9.9
#0  0x0000040000c52a84 in .raise () from /lib64/libc.so.6
#1  0x0000040000c54a94 in .abort () from /lib64/libc.so.6
#2  0x0000040000c918f4 in .__libc_message () from /lib64/libc.so.6
#3  0x0000040000d2c4d8 in .__stack_chk_fail () from /lib64/libc.so.6
#4  0x000004000011495c in oval_probe_meta_list (output=0x40000db0690, flags=38) at oval_probe.c:509
#5  0x0000000010007ad0 in print_versions (action=<value optimized out>) at oscap.c:160
#6  0x0000000010007f48 in oscap_module_call (action=<value optimized out>) at oscap-tool.c:261
#7  0x0000000010008e20 in oscap_module_process (module=0x10026490, argc=2, argv=<value optimized out>) at oscap-tool.c:346
#8  0x0000000010007dec in main (argc=2, argv=0xfffffd8f728) at oscap.c:78

Comment 8 RHEL Program Management 2013-07-12 06:37:23 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 10 Lukas "krteknet" Novy 2013-07-12 10:49:51 UTC
Choosing mainstream 5.9, 5.9.Z or 5.10 makes no difference.


Note You need to log in before you can comment on or make changes to this bug.