[Vm-dev] Re: [Pharo-dev] Buffer overflow in VM?
Nicolas Cellier
nicolas.cellier.aka.nice at gmail.com
Sun Mar 23 20:14:43 UTC 2014
Obviously, various sprintf invocations are not protected...
2014-03-18 1:30 GMT+01:00 <btc at openinworld.com>:
>
> Forwarded to VM list.
>
>
> Jan Vrany wrote:
>
>> Hi guys,
>>
>> when validating fix from Ben, I found another interesting thing:
>>
>> 1) Create quite a deeply nested directory, in my case full path was:
>>
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf
>>
>> (yes, it's that crazy, nevertheless perfectly valid. 248 bytes in
>> total.
>>
>> 2) Download last pharo to the inner-most directory:
>> wget -O- get.pharo.org/30+vm | bash
>>
>> 3) run it:
>> ./pharo-ui Pharo.image
>>
>> VM crashes, producing following on stdout/err:
>>
>> *** buffer overflow detected ***: /home/jv/Projects/Pharo/3.0/
>> dsdsadasdsadasdas/DasDasDasdASdASdASDasDas/das/das/das/dasd/
>> dasdasdastget4efdsfsd/dasdasdasdasda/dadasdasdasdas/
>> dasdasdadasdasdadasdasdasdasdasdasdasdsadas/
>> dadasdasdasdasrewgdfgbfdcghbcfgdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo
>> terminated
>> ======= Backtrace: =========
>> /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x65)[0xf763ded5]
>> /lib/i386-linux-gnu/libc.so.6(+0x103c8a)[0xf763cc8a]
>> /lib/i386-linux-gnu/libc.so.6(+0x1032e8)[0xf763c2e8]
>> /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x91)[0xf75ac501]
>> /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x2352)[0xf757de02]
>> /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xc9)[0xf763c3b9]
>> /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0xf763c2cf]
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo[0x8098763]
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo(ioLoadModule+0x172)[0x8098a72]
>>
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo(queryLoadModule+0x123)[0x809a393]
>>
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo(queryModule+0x1f)[0x809a47f]
>>
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo(main+0x4e9)[0x805b519]
>> /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xf75524d3]
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo[0x805b5f1]
>> ======= Memory map: ========
>> 08048000-0812c000 r-xp 00000000 fc:00 5779868
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo
>> 0812c000-0812d000 r--p 000e3000 fc:00 5779868
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo
>> 0812d000-08137000 rw-p 000e4000 fc:00 5779868
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/pharo
>> 08137000-08173000 rw-p 00000000 00:00 0
>> 08b12000-08b33000 rw-p 00000000 00:00 0 [heap]
>> f6f5d000-f6f79000 r-xp 00000000 fc:00 2913365
>> /lib/i386-linux-gnu/libgcc_s.so.1
>> f6f79000-f6f7a000 r--p 0001b000 fc:00 2913365
>> /lib/i386-linux-gnu/libgcc_s.so.1
>> f6f7a000-f6f7b000 rw-p 0001c000 fc:00 2913365
>> /lib/i386-linux-gnu/libgcc_s.so.1
>> f6f7b000-f6f82000 r-xp 00000000 fc:00 2989741 /lib/i386-linux-gnu/
>> librt-2.15.so
>> f6f82000-f6f83000 r--p 00006000 fc:00 2989741 /lib/i386-linux-gnu/
>> librt-2.15.so
>> f6f83000-f6f84000 rw-p 00007000 fc:00 2989741 /lib/i386-linux-gnu/
>> librt-2.15.so
>> f6f84000-f6f89000 r-xp 00000000 fc:00 3841794 /usr/lib/i386-linux-gnu/
>> libXdmcp.so.6.0.0
>> f6f89000-f6f8a000 r--p 00004000 fc:00 3841794 /usr/lib/i386-linux-gnu/
>> libXdmcp.so.6.0.0
>> f6f8a000-f6f8b000 rw-p 00005000 fc:00 3841794 /usr/lib/i386-linux-gnu/
>> libXdmcp.so.6.0.0
>> f6f8b000-f6f8d000 r-xp 00000000 fc:00 3841792 /usr/lib/i386-linux-gnu/
>> libXau.so.6.0.0
>> f6f8d000-f6f8e000 r--p 00001000 fc:00 3841792 /usr/lib/i386-linux-gnu/
>> libXau.so.6.0.0
>> f6f8e000-f6f8f000 rw-p 00002000 fc:00 3841792 /usr/lib/i386-linux-gnu/
>> libXau.so.6.0.0
>> f6f8f000-f6f9a000 r-xp 00000000 fc:00 3801636 /usr/lib/i386-linux-gnu/
>> libdrm.so.2.4.0
>> f6f9a000-f6f9b000 r--p 0000a000 fc:00 3801636 /usr/lib/i386-linux-gnu/
>> libdrm.so.2.4.0
>> f6f9b000-f6f9c000 rw-p 0000b000 fc:00 3801636 /usr/lib/i386-linux-gnu/
>> libdrm.so.2.4.0
>> f6f9c000-f6fbc000 r-xp 00000000 fc:00 3846353 /usr/lib/i386-linux-gnu/
>> libxcb.so.1.1.0
>> f6fbc000-f6fbd000 r--p 0001f000 fc:00 3846353 /usr/lib/i386-linux-gnu/
>> libxcb.so.1.1.0
>> f6fbd000-f6fbe000 rw-p 00020000 fc:00 3846353 /usr/lib/i386-linux-gnu/
>> libxcb.so.1.1.0
>> f6fbe000-f6fd4000 r-xp 00000000 fc:00 3843823 /usr/lib/i386-linux-gnu/
>> libxcb-glx.so.0.0.0
>> f6fd4000-f6fd5000 r--p 00016000 fc:00 3843823 /usr/lib/i386-linux-gnu/
>> libxcb-glx.so.0.0.0
>> f6fd5000-f6fd6000 rw-p 00017000 fc:00 3843823 /usr/lib/i386-linux-gnu/
>> libxcb-glx.so.0.0.0
>> f6fd6000-f6fdb000 r-xp 00000000 fc:00 3846389 /usr/lib/i386-linux-gnu/
>> libXfixes.so.3.1.0
>> f6fdb000-f6fdc000 r--p 00004000 fc:00 3846389 /usr/lib/i386-linux-gnu/
>> libXfixes.so.3.1.0
>> f6fdc000-f6fdd000 rw-p 00005000 fc:00 3846389 /usr/lib/i386-linux-gnu/
>> libXfixes.so.3.1.0
>> f6fdd000-f6fdf000 r-xp 00000000 fc:00 3843329 /usr/lib/i386-linux-gnu/
>> libXdamage.so.1.1.0
>> f6fdf000-f6fe0000 r--p 00001000 fc:00 3843329 /usr/lib/i386-linux-gnu/
>> libXdamage.so.1.1.0
>> f6fe0000-f6fe1000 rw-p 00002000 fc:00 3843329 /usr/lib/i386-linux-gnu/
>> libXdamage.so.1.1.0
>> f6fe1000-f6ff1000 r-xp 00000000 fc:00 3846377 /usr/lib/i386-linux-gnu/
>> libXext.so.6.4.0
>> f6ff1000-f6ff2000 r--p 0000f000 fc:00 3846377 /usr/lib/i386-linux-gnu/
>> libXext.so.6.4.0
>> f6ff2000-f6ff3000 rw-p 00010000 fc:00 3846377 /usr/lib/i386-linux-gnu/
>> libXext.so.6.4.0
>> f6ff3000-f7126000 r-xp 00000000 fc:00 3846357 /usr/lib/i386-linux-gnu/
>> libX11.so.6.3.0
>> f7126000-f7127000 r--p 00132000 fc:00 3846357 /usr/lib/i386-linux-gnu/
>> libX11.so.6.3.0
>> f7127000-f712a000 rw-p 00133000 fc:00 3846357 /usr/lib/i386-linux-gnu/
>> libX11.so.6.3.0
>> f712a000-f7181000 r-xp 00000000 fc:00 3806685
>> /usr/lib/i386-linux-gnu/mesa/libGL.so.1.2.0
>> f7181000-f7183000 r--p 00056000 fc:00 3806685
>> /usr/lib/i386-linux-gnu/mesa/libGL.so.1.2.0
>> f7183000-f7188000 rwxp 00058000 fc:00 3806685
>> /usr/lib/i386-linux-gnu/mesa/libGL.so.1.2.0
>> f71ac000-f71c4000 r-xp 00000000 fc:00 5779870
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/vm-display-X11
>> f71c4000-f71c5000 r--p 00017000 fc:00 5779870
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/vm-display-X11
>> f71c5000-f71c6000 rw-p 00018000 fc:00 5779870
>> /home/jv/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf/pharo-vm/vm-display-X11
>> f71c6000-f71c7000 rw-p 00000000 00:00 0
>> f71c7000-f71c8000 r--p 00461000 fc:00 3688627
>> /usr/lib/locale/locale-archive
>> f71c8000-f7338000 r--p 001bc000 fc:00 3688627
>> /usr/lib/locale/locale-archive
>> f7338000-f7538000 r--p 00000000 fc:00 3688627
>> /usr/lib/locale/locale-archive
>> f7538000-f7539000 rw-p 00000000 00:00 0
>> f7539000-f76dd000 r-xp 00000000 fc:00 2989731 /lib/i386-linux-gnu/
>> libc-2.15.so
>> f76dd000-f76de000 ---p 001a4000 fc:00 2989731 /lib/i386-linux-gnu/
>> libc-2.15.so
>> f76de000-f76e0000 r--p 001a4000 fc:00 2989731 /lib/i386-linux-gnu/
>> libc-2.15.so
>> f76e0000-f76e1000 rw-p 001a6000 fc:00 2989731 /lib/i386-linux-gnu/
>> libc-2.15.so
>> f76e1000-f76e4000 rw-p 00000000 00:00 0
>> f76e4000-f76fb000 r-xp 00000000 fc:00 2989747 /lib/i386-linux-gnu/
>> libpthread-2.15.so
>> f76fb000-f76fc000 r--p 00016000 fc:00 2989747 /lib/i386-linux-gnu/
>> libpthread-2.15.so
>> f76fc000-f76fd000 rw-p 00017000 fc:00 2989747 /lib/i386-linux-gnu/
>> libpthread-2.15.so
>> f76fd000-f7700000 rw-p 00000000 00:00 0
>> f7700000-f7703000 r-xp 00000000 fc:00 2989746 /lib/i386-linux-gnu/
>> libdl-2.15.so
>> f7703000-f7704000 r--p 00002000 fc:00 2989746 /lib/i386-linux-gnu/
>> libdl-2.15.so
>> f7704000-f7705000 rw-p 00003000 fc:00 2989746 /lib/i386-linux-gnu/
>> libdl-2.15.so
>> f7705000-f772f000 r-xp 00000000 fc:00 2989763 /lib/i386-linux-gnu/
>> libm-2.15.so
>> f772f000-f7730000 r--p 00029000 fc:00 2989763 /lib/i386-linux-gnu/
>> libm-2.15.so
>> f7730000-f7731000 rw-p 0002a000 fc:00 2989763 /lib/i386-linux-gnu/
>> libm-2.15.so
>> f7735000-f7736000 rw-p 00000000 00:00 0
>> f7736000-f773a000 r-xp 00000000 fc:00 3846693 /usr/lib/i386-linux-gnu/
>> libXxf86vm.so.1.0.0
>> f773a000-f773b000 r--p 00003000 fc:00 3846693 /usr/lib/i386-linux-gnu/
>> libXxf86vm.so.1.0.0
>> f773b000-f773c000 rw-p 00004000 fc:00 3846693 /usr/lib/i386-linux-gnu/
>> libXxf86vm.so.1.0.0
>> f773c000-f773d000 r-xp 00000000 fc:00 3843521 /usr/lib/i386-linux-gnu/
>> libX11-xcb.so.1.0.0
>> f773d000-f773e000 r--p 00000000 fc:00 3843521 /usr/lib/i386-linux-gnu/
>> libX11-xcb.so.1.0.0
>> f773e000-f773f000 rw-p 00001000 fc:00 3843521 /usr/lib/i386-linux-gnu/
>> libX11-xcb.so.1.0.0
>> f773f000-f774e000 r-xp 00000000 fc:00 3803606 /usr/lib/i386-linux-gnu/
>> libglapi.so.0.0.0
>> f774e000-f7750000 r--p 0000f000 fc:00 3803606 /usr/lib/i386-linux-gnu/
>> libglapi.so.0.0.0
>> f7750000-f7755000 rwxp 00011000 fc:00 3803606 /usr/lib/i386-linux-gnu/
>> libglapi.so.0.0.0
>> f7755000-f7757000 rw-p 00000000 00:00 0
>> f7757000-f7758000 r-xp 00000000 00:00 0 [vdso]
>> f7758000-f7778000 r-xp 00000000 fc:00 2989754 /lib/i386-linux-gnu/
>> ld-2.15.so
>> f7778000-f7779000 r--p 0001f000 fc:00 2989754 /lib/i386-linux-gnu/
>> ld-2.15.so
>> f7779000-f777a000 rw-p 00020000 fc:00 2989754 /lib/i386-linux-gnu/
>> ld-2.15.so
>> ffe2a000-ffe4c000 rw-p 00000000 00:00 0 [stack]
>> ./pharo-ui: line 11: 31488 Aborted (core dumped)
>> "$DIR"/"pharo-vm/pharo" "$@"
>> jv at sao:~/Projects/Pharo/3.0/dsdsadasdsadasdas/
>> DasDasDasdASdASdASDasDas/das/das/das/dasd/dasdasdastget4efdsfsd/
>> dasdasdasdasda/dadasdasdasdas/dasdasdadasdasdadasdasdasdasda
>> sdasdasdsadas/dadasdasdasdasrewgdfgbfdcghbcf
>> gdf/gdf/gdfgdfgdf/gdfg/df/gdf/gdf$
>>
>> Running it under GDB shows following backtrace:
>>
>> Program received signal SIGABRT, Aborted.
>> 0xf7fdb430 in __kernel_vsyscall ()
>> (gdb) bt
>> #0 0xf7fdb430 in __kernel_vsyscall ()
>> #1 0xf7deb1df in raise () from /lib/i386-linux-gnu/libc.so.6
>> #2 0xf7dee825 in abort () from /lib/i386-linux-gnu/libc.so.6
>> #3 0xf7e2839a in ?? () from /lib/i386-linux-gnu/libc.so.6
>> #4 0xf7ec1ed5 in __fortify_fail () from /lib/i386-linux-gnu/libc.so.6
>> #5 0xf7ec0c8a in __chk_fail () from /lib/i386-linux-gnu/libc.so.6
>> #6 0xf7ec02e8 in ?? () from /lib/i386-linux-gnu/libc.so.6
>> #7 0xf7e30501 in _IO_default_xsputn () from /lib/i386-linux-gnu/libc.so.6
>> #8 0xf7e01e02 in vfprintf () from /lib/i386-linux-gnu/libc.so.6
>> #9 0xf7ec03b9 in __vsprintf_chk () from /lib/i386-linux-gnu/libc.so.6
>> #10 0xf7ec02cf in __sprintf_chk () from /lib/i386-linux-gnu/libc.so.6
>> #11 0x08098763 in tryLoading ()
>> #12 0x08098a72 in ioLoadModule ()
>> #13 0x0809a393 in queryLoadModule ()
>> #14 0x0809a47f in queryModule ()
>> #15 0x0805b519 in main ()
>>
>> Good you compile with -fstack-protector :-)
>>
>> Best, Jan
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.squeakfoundation.org/pipermail/vm-dev/attachments/20140323/050a5906/attachment-0001.htm
More information about the Vm-dev
mailing list