Sometimes life throws little curves at you to see if you are still awake, today has been one of those days.
fglrx is (apparently) fixed
I’ve had a long-running problem with fglrx on my laptop. The problem stems from ATI closed-source drivers with one of those laptops that has an ATI and Intel driver. It means I am basically using the slow Intel chip only. This morning I had enough and backed up my home and started to rebuild the laptop with Debian 6.0.3.
So I kicked off the very very slow process of reformatting the crypto drive (it has taken 5 hours and still going) let it gurgle on its merry way and started to read my email. One of the emails was that my bug about fglrx not working is closed, apparently it is fixed. If I had read that 10 minutes earlier, a simple ‘apt-get install fglrx-driver‘ would of perhaps fixed it; oh well.
My problem is now is do I move to the latest driver and hope their fix is my fix or leave it with some ancient version? My preference is the former; I only hope it works!
psmisc 22.15 and buffer overflows
psmisc has a program called pstree which prints the set of processes in a tree fashion. It hasn’t changed much for quite a while. I released version 22.15 and the Debian package 22.15-1. 22.15-1 I also adopted the harden CFLAGS as suggested for procps.
I was a little surprised that I received an important bug. The report was saying I had a buffer overflow introduced in 22.15-1, but no relevant code had changed. The compiler options had done their job and stopped a buffer being overflowed.
But where exactly was the overflow? Running gdb on pstree quickly showed that it was line 267 of pstree.c which uses strcpy(). That function set off warning bells. The relevant code is:
PROC *new; if (!(new = malloc(sizeof(PROC)))) { perror("malloc"); exit(1); } strcpy(new->comm, comm);
Now comm is the short command name you find in /proc//stat. It is fixed in the kernel at 16 characters. The PROC structure has this field as 17 characters long, one extra for the NUL. I went and checked the Linux source and yes, it is still 16 characters long. The clue was in the name of the program that it died on.
#6 new_proc (comm=0x6111b0 "{console-kit-dae}", pid=1571, uid=0) at pstree.c:267
That string is 17 characters long. The problem is that 16 characters is for the name only. If the name is in brackets or braces, then that 16 character limit doesn’t apply. The buffer overflow bug has been there for a long time, but only with the compiler flags did it become visible.
Given you need to read names out of the /proc filesystem and if someone can fiddle with that you have bigger problems it doesn’t seem to be too much of an issue. It should be (and is in Debian 22.15-2) fixed but is a nice example of the compiler catching bad things.
Related articles
- Detecting security problems – using static analysis to catch them early and less expensively (blogs.windriver.com)
- A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code (thexploit.com)
- Exploit the buffer – Buffer Overflow Attack (alitarhini.wordpress.com)
- Aurelien Jarno: Performances of open-source Radeon driver (aurel32.net)
Leave a Reply