strace bug report

Cheolung Lee chpie at grayhash.com
Sat Feb 28 04:18:40 UTC 2015 

I have thanksfulness about using strace.
Yesterday i found a bug in the strace, i guess this is a stack buffer
overflow.

So i report it. Thank you.


Tested Version : strace-4.9, strace-4.8
Environment : Ubuntu 14.04.1 LTS x86_64
Details:

stack buffer overflow in startup_child() strace.c

Input length check could be bypassed using long string without having '/',
and the strcpy() function in PATH concat processing code starts to
overwrite stack data.

-------------- TEST PAYLOAD

abc at ubuntu:~/strace-4.9$ ./strace `perl -e 'print "a"x5042'`
Segmentation fault

-------------- BELOW is GDB output

(gdb) r `perl -e 'print "a"x5042'`

Starting program: /home/abc/strace-4.9/strace `perl -e 'print "a"x5042'`



Program received signal SIGSEGV, Segmentation fault.

__GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name at entry=0x7fe3b8107b59
"LANGUAGE") at getenv.c:85
85      getenv.c: No such file or directory.

(gdb) bt

#0  __GI_getenv (name=0x7fe3b8107b5b "NGUAGE", name at entry=0x7fe3b8107b59
"LANGUAGE") at getenv.c:85
#1  0x00007fe3b7fbc681 in guess_category_value (categoryname=0x7fe3b80f16b3
<_nl_category_names+51> "LC_MESSAGES", category=5)
    at dcigettext.c:1372
#2  __dcigettext (domainname=0x7fe3b8107a99 <_libc_intl_domainname> "libc",
msgid1=0x7fe3b81081ac "File name too long",
    msgid2=msgid2 at entry=0x0, plural=plural at entry=0, n=n at entry=0,
category=category at entry=5) at dcigettext.c:573
#3  0x00007fe3b7fbb5df in __GI___dcgettext (domainname=<optimized out>,
msgid=<optimized out>, category=category at entry=5)
    at dcgettext.c:52
#4  0x00007fe3b801398e in __GI___strerror_r (errnum=errnum at entry=36,
buf=buf at entry=0x0, buflen=buflen at entry=0) at _strerror.c:71
#5  0x00007fe3b80138cf in strerror (errnum=errnum at entry=36) at strerror.c:32
#6  0x000000000041230f in verror_msg (err_no=36, fmt=fmt at entry=0x4273da
"Can't stat '%s'", p=p at entry=0x7fff6b28dbf8) at strace.c:277
#7  0x000000000041315a in perror_msg_and_die (fmt=fmt at entry=0x4273da "Can't
stat '%s'") at strace.c:323
#8  0x000000000041371e in startup_child (argv=0x7fff6b28f160) at
strace.c:1220
#9  0x6161616161616161 in ?? ()
#10 0x6161616161616161 in ?? ()
#11 0x6161616161616161 in ?? ()
#12 0x6161616161616161 in ?? ()
#13 0x6161616161616161 in ?? ()
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20150228/675cc4df/attachment.html>

More information about the Strace-devel mailing list