'Re: [rrd-developers] segfaulting bug in rrdtool/rrdcached'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rrd-developers
Subject:    Re: [rrd-developers] segfaulting bug in rrdtool/rrdcached
From:       Tobias Oetiker <tobi () oetiker ! ch>
Date:       2012-01-16 11:00:03
Message-ID: alpine.DEB.2.02.1201161159180.12625 () born ! oetiker ! ch
[Download RAW message or body]

Hi James,

thanks for your patch, added in r2251

cheers
tobi
Dec 27 James Brown wrote:

> There's a bug in the current HEAD of rrdtool (and I suppose going back to
> mid-2007, from the svn blame output) which causes it to segfault if you
> point it at an rrdcached socket which isn't writable. I've attached a patch
> against trunk, and reproduction steps are below:
>
> cd ~
> mkdir rrds/
> rrdtool create rrds/test.rrd DS:data:GAUGE:360:U:U RRA:MAX:0.5:1:120 -s 1
> rrdtool update rrds/test.rrd N:0
> rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s)
> DEF:ds0=$HOME/rrds/test.rrd:data:MAX XPORT:ds0     *(this one should work)*
> rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s) --daemon
> $HOME/this_path_does_not_exist.sock DEF:ds0=$HOME/rrds/test.rrd:data:MAX
> XPORT:ds0    *(this one should segfault)*
>
> rrdtool is assuming that rrd_xport will always return -1 on failure;
> however, rrd_xport returns errno (which is, generally, not -1) if
> rrd_client fails. I figured it was easier to change rrdtool than to change
> everything in rrd_client. For good measure, I also changed the checks on
> the calls to rrd_fetch and rrd_graph. I'm not sure if they're susceptible
> to the same problem, but, well, better to check for the one thing you do
> what you want than to enumerate all the possible things you don't want.
>
> This segfault is caused by an uninitialized variable use (in particular,
> legend_v and col_cnt end up being used and passed to printf uninitialized).
> Nothing offhand jumped out at me as easily-exploitable to do code
> injection, but I only spent five or so minutes looking at it, so there very
> well may be a security problem hiding behind this.
>
> Cheers,
>

-- 
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi@oetiker.ch ++41 62 775 9902 / sb: -9900

_______________________________________________
rrd-developers mailing list
rrd-developers@lists.oetiker.ch
https://lists.oetiker.ch/cgi-bin/listinfo/rrd-developers
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic