GNOME Bugzilla – Bug 396477
CVE-2007-0235: stack overflow in sysdeps/linux/procmap.c: glibtop_get_proc_map_s()
Last modified: 2007-01-25 10:28:16 UTC
Liu Qishuai reported a stack overflow in libgtop2 in Launchpad: https://launchpad.net/bugs/79206 I could reproduce it on Ubuntu feisty on AMD64. libgtop2 is 2.14.5-0ubuntu1. Steps to reproduce: export dir=$(perl -e " print 's/'x1000;") mkdir -p $dir cp /bin/sleep $dir $dir/sleep 100 & gnome-system-monitor gnome-system-monitor aborts with *** stack smashing detected ***: gnome-system-monitor terminated Aborted A backtrace leads to (gdb) frame 4
+ Trace 102063
I've started to look for the problem: The problematic code is in sysdeps/linux/procmap.c: glibtop_get_proc_map_s() 155 char line[1024]; [...] 164 char filename [GLIBTOP_MAP_FILENAME_LEN+1]; 165 166 glibtop_map_entry *entry; 167 168 if (!fgets(line, sizeof line, maps)) 169 break; 170 171 /* 8 arguments */ 172 rv = sscanf(line, PROC_MAPS_FORMAT, 173 &start, &end, flags, &offset, 174 &dev_major, &dev_minor, &inode, filename); GLIBTOP_MAP_FILENAME_LEN is 215 (include/glibtop/procmap.h) PROC_MAPS_FORMAT is defined as "%16llx-%16llx %4c %16llx %02hx:%02hx %llu%*[ ]%[^\n]\n" maps is /proc/<pid>/smaps and the first line looks in this case like 00400000-00404000 r-xp 00000000 08:07 1849138 /home/michael/tmp/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/s/[...] After the sscanf 'filename' contains the filename which is much longer than the char array and overflows into the stack.
Created attachment 80254 [details] [review] fix very good catch. Two things that makes the overflow possible : - long lines fool fgets -> switched to Glib getline - inappropriate use of sscanf
I've just released 2.14.6. Big thanks for this bugreport.