After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 396477 - CVE-2007-0235: stack overflow in sysdeps/linux/procmap.c: glibtop_get_proc_map_s()
CVE-2007-0235: stack overflow in sysdeps/linux/procmap.c: glibtop_get_proc_ma...
Product: libgtop
Classification: Core
Component: linux
Other Linux
: Urgent major
: ---
Assigned To: libgtop maintainers
libgtop maintainers
Depends on:
Reported: 2007-01-14 15:25 UTC by Michael Bienia
Modified: 2007-01-25 10:28 UTC
See Also:
GNOME target: ---
GNOME version: ---

fix (2.40 KB, patch)
2007-01-14 17:41 UTC, Benoît Dejean
committed Details | Review

Description Michael Bienia 2007-01-14 15:25:38 UTC
Liu Qishuai reported a stack overflow in libgtop2 in Launchpad:

I could reproduce it on Ubuntu feisty on AMD64.
libgtop2 is 2.14.5-0ubuntu1.

Steps to reproduce:
 export dir=$(perl -e " print 's/'x1000;")
 mkdir -p $dir
 cp /bin/sleep $dir
 $dir/sleep 100 &

gnome-system-monitor aborts with
*** stack smashing detected ***: gnome-system-monitor terminated

A backtrace leads to
(gdb) frame 4
  • #4 glibtop_get_proc_map_s
    at procmap.c line 229

I've started to look for the problem:

The problematic code is in sysdeps/linux/procmap.c: glibtop_get_proc_map_s()

155 char line[1024];
164 char filename [GLIBTOP_MAP_FILENAME_LEN+1];
166 glibtop_map_entry *entry;
168 if (!fgets(line, sizeof line, maps))
169 break;
171 /* 8 arguments */
172 rv = sscanf(line, PROC_MAPS_FORMAT,
173 &start, &end, flags, &offset,
174 &dev_major, &dev_minor, &inode, filename);

GLIBTOP_MAP_FILENAME_LEN is 215 (include/glibtop/procmap.h)
PROC_MAPS_FORMAT is defined as "%16llx-%16llx %4c %16llx %02hx:%02hx %llu%*[ ]%[^\n]\n"

maps is /proc/<pid>/smaps and the first line looks in this case like
00400000-00404000 r-xp 00000000 08:07 1849138 /home/michael/tmp/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/[...]

After the sscanf 'filename' contains the filename which is much longer than the char array and overflows into the stack.
Comment 1 Benoît Dejean 2007-01-14 17:41:08 UTC
Created attachment 80254 [details] [review]

very good catch. Two things that makes the overflow possible :
- long lines fool fgets -> switched to Glib getline
- inappropriate use of sscanf
Comment 2 Benoît Dejean 2007-01-14 20:43:22 UTC
I've just released 2.14.6.
Big thanks for this bugreport.