This is the mail archive of the
gdb-patches@sourceware.org
mailing list for the GDB project.
[patch] Fix GCORE command stack buffer overflow
- From: Jan Kratochvil <jan dot kratochvil at redhat dot com>
- To: gdb-patches at sourceware dot org
- Date: Wed, 6 Jun 2007 20:57:20 +0200
- Subject: [patch] Fix GCORE command stack buffer overflow
Hi,
there is a stack buffer overflow in the gcore command:
Exploit code (crash this way, it is arbitrary code execution category):
echo 'int main (void) { return 0; }' >/tmp/x235753.c;gcc -o /tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 /tmp/x235753.c -ggdb3;echo -e 'start\ngcore /dev/null' >/tmp/x235753.cmd;gdb -nx --command=/tmp/x235753.cmd --args /tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
According to the evaluations the bug poses no security risks.
Bug was discovered by enabling the GCC option _FORTIFY_SOURCE=2 for GDB.
Regards,
Jan
------------------------------------------------------------------------------
Bug has been evaluated as non-exploitable.
The code appends " " to an out of boundaries memory:
(gdb) p (char *)psargs
$10 = 0x7fffa0bf31d0 "/home/jkratoch/redhat/sources/gdb/0123456789012345678901234567890123456789012345bz235753 "
the string "bz235753 " is already a part of another variable - `fname':
(gdb) p fname
$11 = "bz235753 \000\000\000\000\000\000"
as it calls strncat() in with unbounded (overflown) `size_t n':
strncat (s1=0x7fffa0bf31d0 "/home/jkratoch/redhat/sources/gdb/0123456789012345678901234567890123456789012345bz235753", s2=0x6b8bd7 " ", n=18446744073709551608) at strncat.c:34
it is safe as afterwards the code
strncat (psargs, get_inferior_args (), sizeof (psargs) - strlen (psargs));
appends the value of get_inferior_args () which is always empty ("") for any
untrusted data.
get_inferior_args () may return non-empty result only for:
* The commandline `--args' parameter (set_inferior_args_vector ()).
* The `run' command arguments (set_inferior_args ()).
* The `start' command arguments (set_inferior_args ()).
* The `set args' command arguments (notice_args_set ()).
(The `attach' command is safe, it does not retrieve the inferior's arguments.)
All these values are trusted as they can come only from the same/superior UID
source spawning the "gdb" command or feeding its interactive input.
Exploit code (crash this way, it is arbitrary code execution category):
echo 'int main (void) { return 0; }' >/tmp/x235753.c;gcc -o /tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 /tmp/x235753.c -ggdb3;echo -e 'start\ngcore /dev/null' >/tmp/x235753.cmd;gdb -nx --command=/tmp/x235753.cmd --args /tmp/01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789 01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
Still it is dangerous for untrusted control of GDB commandline/commands.
On the other hand such level of control may exploit the machine directly by
appropriate commands, without any special stack corrupton.
2007-06-06 Jan Kratochvil <jan.kratochvil@redhat.com>
* linux-nat.c (linux_nat_make_corefile_notes): Fixed a buffer overflow.
2007-06-06 Jan Kratochvil <jan.kratochvil@redhat.com>
* gdb.base/gcore-buffer-overflow.c, gdb.base/gcore-buffer-overflow.exp:
New files.
--- ./gdb/linux-nat.c 10 May 2007 21:36:00 -0000 1.61
+++ ./gdb/linux-nat.c 6 Jun 2007 18:48:47 -0000
@@ -2691,7 +2691,9 @@ linux_nat_make_corefile_notes (bfd *obfd
{
struct linux_nat_corefile_thread_data thread_args;
struct cleanup *old_chain;
+ /* The variable size must be >= sizeof (prpsinfo_t.pr_fname). */
char fname[16] = { '\0' };
+ /* The variable size must be >= sizeof (prpsinfo_t.pr_psargs). */
char psargs[80] = { '\0' };
char *note_data = NULL;
ptid_t current_ptid = inferior_ptid;
@@ -2704,9 +2706,18 @@ linux_nat_make_corefile_notes (bfd *obfd
strncpy (psargs, get_exec_file (0), sizeof (psargs));
if (get_inferior_args ())
{
- strncat (psargs, " ", sizeof (psargs) - strlen (psargs));
- strncat (psargs, get_inferior_args (),
- sizeof (psargs) - strlen (psargs));
+ char *string_end;
+ char *psargs_end = psargs + sizeof (psargs);
+
+ /* linux_elfcore_write_prpsinfo () handles zero unterminated
+ strings fine. */
+ string_end = memchr (psargs, 0, sizeof (psargs));
+ if (string_end != NULL)
+ {
+ *string_end++ = ' ';
+ strncpy (string_end, get_inferior_args (),
+ psargs_end - string_end);
+ }
}
note_data = (char *) elfcore_write_prpsinfo (obfd,
note_data,
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ ./gdb/testsuite/gdb.base/gcore-buffer-overflow.c 6 Jun 2007 18:48:47 -0000
@@ -0,0 +1,27 @@
+/* Copyright 2007 Free Software Foundation, Inc.
+
+ This file is part of GDB.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or (at
+ your option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place - Suite 330,
+ Boston, MA 02111-1307, USA. */
+
+/*
+ * Test GDB's internal buffers safety for the GCORE command.
+ */
+
+int main (void)
+{
+ return 0;
+}
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ ./gdb/testsuite/gdb.base/gcore-buffer-overflow.exp 6 Jun 2007 18:48:47 -0000
@@ -0,0 +1,70 @@
+# Copyright 2007 Free Software Foundation, Inc.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Please email any bugs, comments, and/or additions to this file to:
+# bug-gdb@prep.ai.mit.edu
+
+# Test GDB's internal buffers safety for the GCORE command.
+
+if $tracelevel then {
+ strace $tracelevel
+}
+
+set prms_id 0
+set bug_id 0
+
+set testfile "gcore-buffer-overflow"
+set srcfile ${testfile}.c
+# The ${binfile} basename needs to exceed 80 characters (`sizeof (psargs)')
+# plus some additional data to overwrite the stack frame.
+set pattern 01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
+set binfile ${objdir}/${subdir}/${testfile}-${pattern}
+
+if { [gdb_compile "${srcdir}/${subdir}/${srcfile}" "${binfile}" executable {debug}] != "" } {
+ untested gcore.exp
+ return -1
+}
+
+# Start with a fresh gdb.
+
+gdb_exit
+gdb_start
+gdb_reinitialize_dir $srcdir/$subdir
+gdb_load ${binfile}
+
+gdb_test "set args ${pattern}" \
+ "" \
+ "Set buffer exceeding arguments"
+
+if { ! [ runto_main ] } then {
+ untested gcore-buffer-overflow.exp
+ return -1
+}
+
+set escapedfilename [string_to_regexp ${objdir}/${subdir}/gcore-buffer-overflow.test]
+
+set test "save a corefile"
+gdb_test_multiple "gcore ${objdir}/${subdir}/gcore-buffer-overflow.test" $test {
+ -re "Saved corefile ${escapedfilename}\[\r\n\]+$gdb_prompt $" {
+ pass $test
+ }
+ -re "Can't create a corefile\[\r\n\]+$gdb_prompt $" {
+ unsupported $test
+ }
+ eof {
+ fail $test
+ }
+}