'[Bacula-bugs] [bacula 0001042]: bacula-fd crashes after execution'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bacula-bugs
Subject:    [Bacula-bugs] [bacula 0001042]: bacula-fd crashes after execution
From:       bacula-bugs () lists ! sourceforge ! net
Date:       2008-01-30 15:18:27
Message-ID: f018bdb11acc61ec19f91ad18665ddfa () bugs ! bacula ! org
[Download RAW message or body]


A NOTE has been added to this issue. 
====================================================================== 
http://bugs.bacula.org/view.php?id=1042 
====================================================================== 
Reported By:                anicka
Assigned To:                
====================================================================== 
Project:                    bacula
Issue ID:                   1042
Category:                   File Daemon
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     feedback
====================================================================== 
Date Submitted:             01-22-2008 20:24 UTC
Last Modified:              01-30-2008 15:18 UTC
====================================================================== 
Summary:                    bacula-fd crashes after execution when compiled with
FORTIFY_SOURCE
Description: 
Bacula-fd compiled with FORTIFY_SOURCE crashes immediately after execution
with buffer overflow detected.

Crash happens in parse_conf.c on line 205:
memset(&res_all, 0, res_all_size);

It happens because res_all has different types in parse_conf.c and
filed.c. Because res_all is smaller in parse_conf.c, an overflow is
detected.

I have fixed this particular problem with attached patch. Unfortunately,
it does not really fix the bug - declaring a variable with two different
types is illegal and should be avoided.

====================================================================== 

---------------------------------------------------------------------- 
 kern - 01-23-08 17:03  
---------------------------------------------------------------------- 
The code generated by FORTIFY_SOURCE is simply wrong. There is no buffer
overflow because I am explicitly passing (in a global) the correct size of
the buffer, and I am treating it as a byte array, all of which is valid.

Unfortunately your patch hides the fact that URES has different
definitions in different daemons and adds an extra level of complication (a
new subroutine that actually does what the current code does), and as you
say yourself "it doesn't really fix the bug" so, sorry, but I have not
applied it.

I don't see any reason for the CURES definition in parse_config to have a
different name from in the other daemons (URES), so I have fixed that.
Thanks for pointing it out. 

The solution to your crash is not to compile in code (FORTIFY_SOURCE) that
detects non-existent buffer overflows and crashes ...

At sometime in the near future libbac will become a shared object, so I
will cleanup the user of external global references, and perhaps then
FORTIFY_SOURCE will work.

 

---------------------------------------------------------------------- 
 kern - 01-30-08 13:05  
---------------------------------------------------------------------- 
Could you apply the 2.2.8-fortify.patch that I have attached to this bug
report and us know if it fixes the crash you reported? 

---------------------------------------------------------------------- 
 anicka - 01-30-08 15:18  
---------------------------------------------------------------------- 
Unfortunately, FORTIFY_SOURCE cannot be fooled that easily. (I have also
tried things like that before I wrote the longer patch.)

Anyway, the real fix should avoid declaring res_all with different types
completely (it is forbidden) and use a pointer for passing it instead. (But
it would be a lot of work.)

This is the result of applying your patch against 2.2.8 and running
bacula-fd:

*** buffer overflow detected ***: /usr/sbin/bacula-fd terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail-0x71d14)[0x80006ff63c]
/lib64/libc.so.6(__chk_fail-0x73b90)[0x80006fd310]
/lib64/libc.so.6(__memset_chk-0x74db8)[0x80006fbf50]
/usr/sbin/bacula-fd[0x1003dd70]
/usr/sbin/bacula-fd[0x10007b54]
/lib64/libc.so.6[0x80006268a4]
/lib64/libc.so.6(__libc_start_main-0x13e24c)[0x8000626aa4]
======= Memory map: ========
... 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
01-22-08 20:24  anicka         New Issue                                    
01-22-08 20:24  anicka         File Added: bacula-2.2.7-fortify.diff            
       
01-23-08 17:03  kern           Note Added: 0003085                          
01-23-08 17:03  kern           Status                   new => closed       
01-23-08 17:03  kern           Resolution               open => not a bug   
01-30-08 13:04  kern           File Added: 2.2.8-fortify.patch                  
 
01-30-08 13:05  kern           Note Added: 0003123                          
01-30-08 13:05  kern           Status                   closed => feedback  
01-30-08 13:05  kern           Resolution               not a bug => reopened
01-30-08 15:18  anicka         Note Added: 0003124                          
======================================================================


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Bacula-bugs mailing list
Bacula-bugs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic