bug-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug #23029] autogsdoc buffer overflow in gnustep-base 1.14.2 and 1.


From: Gareth Armstrong
Subject: Re: [bug #23029] autogsdoc buffer overflow in gnustep-base 1.14.2 and 1.14.3 on Rhel 5
Date: Tue, 10 Jun 2008 12:41:17 +0200
User-agent: Thunderbird 2.0.0.14 (X11/20080501)

Hello Richard,

this mail never seems to have made it to back to the list.  My apologies for the delay.

All the best,

Gareth

Gareth Armstrong wrote:
Hello Richard,

sorry for not getting back sooner.  Here is a stack trace of autogsdoc
(gnustep-base 1.14.3 with libffi 3.0.5) with gdb on a Fedora 8 x86_64
platform.  I will get back to you with the same for Rhel5 i386 and
x86_64 soon.  Hope this helps.  Many thanks for your time.

All the best,

Gareth

[gareth@localhost] ~/WORK/OCEK/gnustep
$ gdb autogsdoc
GNU gdb Red Hat Linux (6.6-45.fc8rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
Using host libthread_db library "/lib64/libthread_db.so.1".
(gdb) run
Starting program: /usr/bin/autogsdoc
[Thread debugging using libthread_db enabled]
[New Thread 46912503108672 (LWP 26312)]
*** buffer overflow detected ***: /usr/bin/autogsdoc terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x32)[0x39388ea362]
/lib64/libc.so.6[0x39388e8a90]
/lib64/libc.so.6[0x39388e90bb]
/usr/lib64/libgnustep-base.so.1.14[0x2aaaaacd96af]
/usr/lib64/libgnustep-base.so.1.14(GNUstepConfig+0x3c7)[0x2aaaaaca0217]
/usr/lib64/libgnustep-base.so.1.14[0x2aaaaac9c35b]
/usr/lib64/libgnustep-base.so.1.14(GSDefaultsRootForUser+0xc)[0x2aaaaaca040c]
/usr/lib64/libgnustep-base.so.1.14[0x2aaaaad004c5]
/usr/lib64/libgnustep-base.so.1.14[0x2aaaaad041db]
/usr/bin/autogsdoc(main+0x6d)[0x4018dd]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x393881e074]
/usr/bin/autogsdoc[0x4017a9]
======= Memory map: ========
00400000-0042f000 r-xp 00000000 fd:00 2260078
/usr/bin/autogsdoc
0062e000-0063f000 rw-p 0002e000 fd:00 2260078
/usr/bin/autogsdoc
0063f000-006ff000 rw-p 0063f000 00:00 0
[heap]
3048000000-3048018000 r-xp 00000000 fd:00 2274322
/usr/lib64/libobjc.so.1.0.0
3048018000-3048217000 ---p 00018000 fd:00 2274322
/usr/lib64/libobjc.so.1.0.0
3048217000-304821a000 rw-p 00017000 fd:00 2274322
/usr/lib64/libobjc.so.1.0.0
304821a000-304821c000 rw-p 304821a000 00:00 0
3584200000-3584336000 r-xp 00000000 fd:00 2291318
/usr/lib64/libxml2.so.2.6.32
3584336000-3584535000 ---p 00136000 fd:00 2291318
/usr/lib64/libxml2.so.2.6.32
3584535000-358453e000 rw-p 00135000 fd:00 2291318
/usr/lib64/libxml2.so.2.6.32
358453e000-3584540000 rw-p 358453e000 00:00 0
3937600000-393761b000 r-xp 00000000 fd:00 458596
/lib64/ld-2.7.so
393781a000-393781b000 r--p 0001a000 fd:00 458596
/lib64/ld-2.7.so
393781b000-393781c000 rw-p 0001b000 fd:00 458596
/lib64/ld-2.7.so
3938800000-393894d000 r-xp 00000000 fd:00 459998
/lib64/libc-2.7.so
393894d000-3938b4d000 ---p 0014d000 fd:00 459998
/lib64/libc-2.7.so
3938b4d000-3938b51000 r--p 0014d000 fd:00 459998
/lib64/libc-2.7.so
3938b51000-3938b52000 rw-p 00151000 fd:00 459998
/lib64/libc-2.7.so
3938b52000-3938b57000 rw-p 3938b52000 00:00 0
3938c00000-3938c82000 r-xp 00000000 fd:00 459999
/lib64/libm-2.7.so
3938c82000-3938e81000 ---p 00082000 fd:00 459999
/lib64/libm-2.7.so
3938e81000-3938e82000 r--p 00081000 fd:00 459999
/lib64/libm-2.7.so
3938e82000-3938e83000 rw-p 00082000 fd:00 459999
/lib64/libm-2.7.so
3939000000-3939002000 r-xp 00000000 fd:00 460000
/lib64/libdl-2.7.so
3939002000-3939202000 ---p 00002000 fd:00 460000
/lib64/libdl-2.7.so
3939202000-3939203000 r--p 00002000 fd:00 460000
/lib64/libdl-2.7.so
3939203000-3939204000 rw-p 00003000 fd:00 460000
/lib64/libdl-2.7.so
3939400000-3939416000 r-xp 00000000 fd:00 459576
/lib64/libpthread-2.7.so
3939416000-3939615000 ---p 00016000 fd:00 459576
/lib64/libpthread-2.7.so
3939615000-3939616000 r--p 00015000 fd:00 459576
/lib64/libpthread-2.7.so
3939616000-3939617000 rw-p 00016000 fd:00 459576
/lib64/libpthread-2.7.so
3939617000-393961b000 rw-p 3939617000 00:00 0
3939800000-3939814000 r-xp 00000000 fd:00 460004
/lib64/libz.so.1.2.3
3939814000-3939a13000 ---p 00014000 fd:00 460004
/lib64/libz.so.1.2.3
3939a13000-3939a14000 rw-p 00013000 fd:00 460004
/lib64/libz.so.1.2.3
393e800000-393e80d000 r-xp 00000000 fd:00 460007
/lib64/libgcc_s-4.1.2-20070925.so.1
393e80d000-393ea0d000 ---p 0000d000 fd:00 460007
/lib64/libgcc_s-4.1.2-20070925.so.1
393ea0d000-393ea0e000 rw-p 0000d000 fd:00 460007
/lib64/libgcc_s-4.1.2-20070925.so.1
3acf600000-3acf636000 r-xp 00000000 fd:00 2277944
/usr/lib64/libxslt.so.1.1.22
3acf636000-3acf835000 ---p 00036000 fd:00 2277944
/usr/lib64/libxslt.so.1.1.22
3acf835000-3acf837000 rw-p 00035000 fd:00 2277944
/usr/lib64/libxslt.so.1.1.22
3da0c00000-3da0c3f000 r-xp 00000000 fd:00 2286649
/usr/lib64/libgmp.so.3.4.2
3da0c3f000-3da0e3e000 ---p 0003f000 fd:00 2286649
/usr/lib64/libgmp.so.3.4.2
3da0e3e000-3da0e3f000 rw-p 0003e000 fd:00 2286649
/usr/lib64/libgmp.so.3.4.2
3db6c00000-3db6c07000 r-xp 00000000 fd:00 2290109
/usr/lib64/libffi.so.5.0.6
3db6c07000-3db6e06000 ---p 00007000 fd:00 2290109
/usr/lib64/libffi.so.5.0.6
3db6e06000-3db6e07000 rw-p 00006000 fd:00 2290109
/usr/lib64/libffi.so.5.0.6
2aaaaaaab000-2aaaaaaad000 rw-p 2aaaaaaab000 00:00 0
2aaaaaaad000-2aaaaae59000 r-xp 00000000 fd:00 2278865
/usr/lib64/libgnustep-base.so.1.14.3
2aaaaae59000-2aaaab058000 ---p 003ac000 fd:00 2278865
/usr/lib64/libgnustep-base.so.1.14.3
2aaaab058000-2aaaab11e000 rw-p 003ab000 fd:00 2278865
/usr/lib64/libgnustep-base.so.1.14.3
2aaaab11e000-2aaaab120000 rw-p 2aaaab11e000 00:00 0
2aaaab151000-2aaaab156000 rw-p 2aaaab151000 00:00 0
2aaaab156000-2aaaafbb0000 r--p 00000000 fd:00 2262156
/usr/lib/locale/locale-archive
2aaaafbb0000-2aaaafbb7000 r--s 00000000 fd:00 2357256
/usr/lib64/gconv/gconv-modules.cache
2aaaafbb7000-2a
Program received signal SIGABRT, Aborted.
[Switching to Thread 46912503108672 (LWP 26312)]
0x0000003938830ec5 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64        return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
Current language:  auto; currently c
(gdb) bt
#0  0x0000003938830ec5 in raise (sig=<value optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003938832970 in abort () at abort.c:88
#2  0x000000393886b0db in __libc_message (do_abort=2,
    fmt=0x3938921ef0 "*** %s ***: %s terminated\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00000039388ea362 in __fortify_fail (msg=0x3938921ebf "buffer
overflow detected")
    at fortify_fail.c:32
#4  0x00000039388e8a90 in __chk_fail () at chk_fail.c:29
#5  0x00000039388e90bb in __realpath_chk (buf=0x66c8 <Address 0x66c8 out
of bounds>,
    resolved=0x66c8 <Address 0x66c8 out of bounds>, resolvedlen=6) at
realpath_chk.c:30
#6  0x00002aaaaacd96af in -[NSString stringByResolvingSymlinksInPath]
(self=0x6854a0,
    _cmd=<value optimized out>) at /usr/include/bits/stdlib.h:46
#7  0x00002aaaaaca0217 in GNUstepConfig (newConfig=0x0) at
NSPathUtilities.m:637
#8  0x00002aaaaac9c35b in InitialisePathUtilities () at
NSPathUtilities.m:784
#9  0x00002aaaaaca040c in GSDefaultsRootForUser (userName=0x66c8) at
NSPathUtilities.m:1401
#10 0x00002aaaaad004c5 in -[NSUserDefaults initWithUser:]
(self=0x6cb070, _cmd=0x66c8,
    userName=0x6) at NSUserDefaults.m:761
#11 0x00002aaaaad041db in +[NSUserDefaults standardUserDefaults]
(self=0x2aaaab0ef4a0,
    _cmd=0x62f790) at NSUserDefaults.m:463
#12 0x00000000004018dd in main (argc=<value optimized out>, argv=<value
optimized out>,
    env=<value optimized out>) at autogsdoc.m:724
(gdb)

Richard Frith-Macdonald wrote:
  
Update of bug #23029 (project gnustep):

                  Status:                    None => Need Info

    _______________________________________________________

Follow-up Comment #1:

I can't reproduce this buffer overrun under efence or valgrind .(I don't have
a selinux system), but perhaps some specific setup on your system is causing
the problem.

Not having the same system as you, the stack addresses mean nothing...

Please could you examine a core dump of the process under gdb and obtain a
stack trace with symbolic information (function/method name and source code
line numbers) so that we can see where the problem is occurring.

    
--



  


-- 
-------------------------------------------------------------------------------
 Gareth ARMSTRONG
 HP OpenCall Software TESS HW/OS Team
 Email  : gareth.armstrong@hp.com
 Phone  : +33 (0)4.76.14.43.89
-------------------------------------------------------------------------------


reply via email to

[Prev in Thread] Current Thread [Next in Thread]