[PATCH] fix strace -s N handling

Dmitry V. Levin ldv at altlinux.org
Tue Nov 11 00:13:40 UTC 2008


On Thu, Nov 06, 2008 at 02:41:31PM +0100, Denys Vlasenko wrote:
> On Thu, 2008-11-06 at 14:24 +0300, Dmitry V. Levin wrote:
> > On Wed, Nov 05, 2008 at 07:18:45PM +0100, Denys Vlasenko wrote:
> > > On Wed, 2008-11-05 at 15:16 +0100, Denys Vlasenko wrote:
> > > > Before this patch, -s N shows N+1 chars in strings.
> > > > More annoyingly, it shows this for shorter strings:
> > > > 
> > > > write(1, "hi\n"..., 3) = 3
> > > > 
> > > > After patch:
> > > > 
> > > > write(1, "hi\n", 3) = 3
> > > > 
> > > > Patch author is Jeff Bastian jbastian at redhat.com
> > > > 
> > > > Patch is below. Please apply.
> > > 
> > > It appears that the bug this patch fixes causes buffer overruns
> > > and corrupts memory since we malloc just enough space for N chars
> > > + NUL but then try to stuff N+1 chars + NUL there.
> > > 
> > > See https://bugzilla.redhat.com/show_bug.cgi?id=466877
> > 
> > This bug is not available for public access.
> 
> Hmmm yes, whoever created it was probably feeling too paranoid...
> 
> But the bug itself is not secret at all, it's just "strace -Tdf firefox"
> crashing...

Whoever created this bug report is correct: if strace can be crashed by
application, then this issue could be considered as security sensitive.

> This is what I wrote in that bug's comment:
> 
> ===========================
> Non-deterministic, happens in about half of runs.
> 
> strace -f firefox seems to be enough. Adding -T and -d might make it
> happen more frequently, I didn't perform statistical analysis. :)
> 
> Vanilla (built from source tarball locally) strace-4.5.17 exhibits it
> too, although it does not print glibc malloc debug assertion, it just
> segfaults. Understandable, since it seems to be a case of memory
> corruption.
> ============================

Indeed, unpatched printstr() may write up to 4 bytes beyond the heap
buffer bounds, which may lead to memory corruption etc.

There is a simple reproducer:
$ strace -o /dev/null -qxxf sh -c 'for i in `seq 0 1`; do echo -n 123456789012345678901234567890123456789012345678901234567890123456789012345678901;ls /;done' >/dev/null
Segmentation fault

That is, an application may do specially crafted sequence of syscalls which
will result to predicted malloc's, free's and invalid writes in strace
process and cause controllable strace crash or maybe even more interesting
things.

I commited the fix.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20081111/ee0c63a3/attachment.bin>


More information about the Strace-devel mailing list