[Nagiosplug-devel] [ nagiosplug-Bugs-1999319 ] check_ntp_peer buffer overflow

SourceForge.net noreply at sourceforge.net
Fri Aug 29 06:12:59 CEST 2008


Bugs item #1999319, was opened at 2008-06-21 02:04
Message generated for change (Comment added) made by dermoth
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1999319&group_id=29880

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General plugin execution
Group: Release (specify)
>Status: Pending
Resolution: None
Priority: 5
Private: No
Submitted By: Christian Heim (g_phreak)
Assigned to: Thomas Guyot (dermoth)
Summary: check_ntp_peer buffer overflow

Initial Comment:
check_ntp_peer v1991 (nagios-plugins 1.4.12)

commandline: /usr/lib/nagios/plugins/check_ntp_peer -H ptbtime1.ptb.de -w 120 -c 240

OS: SLES10 SP2 (i586)
GCC: gcc-4.1.2_20070115-0.21
GLIBC: glibc-2.4-31.54

gdb backtrace:
(gdb) file /usr/lib/nagios/plugins/check_ntp_peer
Reading symbols from /usr/lib/nagios/plugins/check_ntp_peer...Reading symbols from /usr/lib/debug/usr/lib/nagios/plugins/check_ntp_peer.debug...done.
Using host libthread_db library "/lib/libthread_db.so.1".
done.
(gdb) set args -H ptbtime1.ptb.de -w 120 -c 240
(gdb) run
Starting program: /usr/lib/nagios/plugins/check_ntp_peer -H ptbtime1.ptb.de -w 120 -c 240
*** buffer overflow detected ***: /usr/lib/nagios/plugins/check_ntp_peer terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xb7e89071]
/lib/libc.so.6(__read_chk+0x50)[0xb7e89510]
/usr/lib/nagios/plugins/check_ntp_peer[0x8049e9b]
/usr/lib/nagios/plugins/check_ntp_peer[0x804a95e]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb7dcc8ac]
/usr/lib/nagios/plugins/check_ntp_peer[0x8048e71]
======= Memory map: ========
08048000-0804f000 r-xp 00000000 08:02 346900     /usr/lib/nagios/plugins/check_ntp_peer
0804f000-08050000 rw-p 00006000 08:02 346900     /usr/lib/nagios/plugins/check_ntp_peer
08050000-08071000 rw-p 08050000 00:00 0          [heap]
b7d76000-b7d80000 r-xp 00000000 08:02 180638     /lib/libgcc_s.so.1
b7d80000-b7d81000 rw-p 00009000 08:02 180638     /lib/libgcc_s.so.1
b7d81000-b7db6000 r--s 00000000 08:02 383495     /var/run/nscd/dbMurBjs (deleted)
b7db6000-b7db7000 rw-p b7db6000 00:00 0
b7db7000-b7edc000 r-xp 00000000 08:02 180596     /lib/libc-2.4.so
b7edc000-b7ede000 r--p 00124000 08:02 180596     /lib/libc-2.4.so
b7ede000-b7ee0000 rw-p 00126000 08:02 180596     /lib/libc-2.4.so
b7ee0000-b7ee4000 rw-p b7ee0000 00:00 0
b7ee4000-b7ee6000 r-xp 00000000 08:02 180602     /lib/libdl-2.4.so
b7ee6000-b7ee8000 rw-p 00001000 08:02 180602     /lib/libdl-2.4.so
b7ee8000-b7f0b000 r-xp 00000000 08:02 180604     /lib/libm-2.4.so
b7f0b000-b7f0d000 rw-p 00022000 08:02 180604     /lib/libm-2.4.so
b7f0d000-b7f1c000 r-xp 00000000 08:02 180624     /lib/libresolv-2.4.so
b7f1c000-b7f1e000 rw-p 0000e000 08:02 180624     /lib/libresolv-2.4.so
b7f1e000-b7f20000 rw-p b7f1e000 00:00 0
b7f20000-b7f31000 r-xp 00000000 08:02 180607     /lib/libnsl-2.4.so
b7f31000-b7f33000 rw-p 00010000 08:02 180607     /lib/libnsl-2.4.so
b7f33000-b7f35000 rw-p b7f33000 00:00 0
b7f3e000-b7f3f000 rw-p b7f3e000 00:00 0
b7f3f000-b7f59000 r-xp 00000000 08:02 180589     /lib/ld-2.4.so
b7f59000-b7f5b000 rw-p 0001a000 08:02 180589     /lib/ld-2.4.so
bf962000-bf978000 rw-p bf962000 00:00 0          [stack]
ffffe000-fffff000 ---p 00000000 00:00 0          [vdso]

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7ddf8d0 in raise () from /lib/libc.so.6
#2  0xb7de0ff3 in abort () from /lib/libc.so.6
#3  0xb7e14f9b in __libc_message () from /lib/libc.so.6
#4  0xb7e89071 in __chk_fail () from /lib/libc.so.6
#5  0xb7e89510 in __read_chk () from /lib/libc.so.6
#6  0x08049e9b in ntp_request (host=0x8050130 "ptbtime1.ptb.de", offset=0xbf9745a0, offset_result=0xbf9745b4, jitter=0xbf974598, stratum=0xbf9745b0) at /usr/include/bits/unistd.h:34
#7  0x0804a95e in main (argc=7, argv=0xbf974664) at check_ntp_peer.c:572
#8  0xb7dcc8ac in __libc_start_main () from /lib/libc.so.6
#9  0x08048e71 in _start ()

Thanks a lot.

----------------------------------------------------------------------

>Comment By: Thomas Guyot (dermoth)
Date: 2008-08-29 00:12

Message:
Logged In: YES 
user_id=375623
Originator: NO

Although I did reproduce the bug once I couldn't a few weeks later
(library/compiler updates??). I couldn't either on a SLES test system
kindly provided for testing.

>From the backtrace, we're failing __read_chk (_FORTIFY_SOURCE for the
read() call) in ntp_request. There's a single read() in it and I
re-calculated everything by hand: the read data should no exceed allocated
memory for req.

This seems like a bug in the _FORTIFY_SOURCE checks. Marking as pending as
I'm unable to move forward.

----------------------------------------------------------------------

Comment By: tuxlife (tuxlife)
Date: 2008-08-05 04:09

Message:
Logged In: YES 
user_id=1404363
Originator: NO

http://fedoraproject.org/wiki/Security/Features#Compile_Time_Buffer_Checks_.28FORTIFY_SOURCE.29
:

CC compiler and GLIBC C library from Fedora Core 4 onwards has gained a
feature called "FORTIFY_SOURCE" that will detect and prevent a subset of
the buffer overflows before they can do damage. The idea behind
FORTIFY_SOURCE is relatively simple: there are cases where the compiler can
know the size of a buffer (if it's a fixed sized buffer on the stack, as in
the example, or if the buffer just came from a malloc() function call).
With a known buffer size, functions that operate on the buffer can make
sure the buffer will not overflow. FORTIFY_SOURCE in Fedora 8 has been
enhanced to cover C++ in addition to C, which prevents many security
exploits. 

References: 

http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

----------------------------------------------------------------------

Comment By: Thomas Guyot (dermoth)
Date: 2008-08-04 12:07

Message:
Logged In: YES 
user_id=375623
Originator: NO

Thanks for your feedback. I noticed this as well when the bug was reported
but I haven't had time to debug it yet.

I'm not sure that the number means, but it fails even with
-D_FORTIFY_SOURCE. Any more info on this flag would be nice...

----------------------------------------------------------------------

Comment By: tuxlife (tuxlife)
Date: 2008-08-04 10:53

Message:
Logged In: YES 
user_id=1404363
Originator: NO

I had the same problem with a self-RPM. 

The reason was following CFLAGS/CXXFLAGS/FFLAGS option:
-D_FORTIFY_SOURCE=2

Without this option does the plugin work.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=397597&aid=1999319&group_id=29880




More information about the Devel mailing list