Hello, I tried to find some more information, with the help of a prebuilt full-system VM image.
On Thu, 4 Apr 2024 21:00:59 +0000 (UTC) Thorsten Glaser <t...@mirbsd.de> wrote:
Sometimes, it does not crash with a smashed stack but instead: Setting up sasl2-bin (2.1.28+dfsg1-6+b1) ... BDB0002 __fop_file_setup: Retry limit (100) exceeded saslpasswd2: generic failure
This looks to be a result of the pre-existing /etc/__db.sasldb2. If this file gets removed the stack smashing occurs again. By some experimenting I could convince gdb to load the debug symbols. And the stack seems to point into function __os_unique_id from libdb-5.3.so. Unfortunately I am not sure where the canary gets overwritten. Kind regards, Bernhard https://people.debian.org/~gio/dqib/ https://gitlab.com/giomasce/dqib/-/artifacts https://gitlab.com/giomasce/dqib/-/jobs/6565595565/artifacts/download?file_type=archive apt install gdb sasl2-bin sasl2-bin-dbgsym libsasl2-2-dbgsym libsasl2-modules-db-dbgsym apt install libc6-dbg libc6-dbgsym db-util db5.3-util libldap-2.5-0 libldap-common libsasl2-2 libsasl2-2-dbgsym libsasl2-modules libsasl2-modules-db export DEBUGINFOD_URLS="https://debuginfod.debian.net"; rm /etc/__db.sasldb2 echo -e "test\ntest" > exclam gdb -q file /usr/sbin/saslpasswd2 run -c 'no:such:user' <exclam root@debian:~# rm /etc/__db.sasldb2 root@debian:~# gdb -q (gdb) file /usr/sbin/saslpasswd2 Reading symbols from /usr/sbin/saslpasswd2... This GDB supports auto-downloading debuginfo from the following URLs: <https://debuginfod.debian.net> Enable debuginfod for this session? (y or [n]) y Debuginfod has been enabled. To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit. Downloading separate debug info for /usr/sbin/saslpasswd2 (No debugging symbols found in /usr/sbin/saslpasswd2) (gdb) run -c 'no:such:user' <exclam Starting program: /usr/sbin/saslpasswd2 -c 'no:such:user' <exclam *** stack smashing detected ***: terminated Program received signal SIGABRT, Aborted. 0xc00c1a88 in ?? () (gdb) info inferior Num Description Connection Executable * 1 process 10276 1 (native) /usr/sbin/saslpasswd2 (gdb) shell cat /proc/10276/maps | grep -i -E "^c00c" (gdb) shell cat /proc/10276/maps | grep -i -E "^c00" c0000000-c0020000 r-xp 00000000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1 c0020000-c0021000 rw-p 00000000 00:00 0 c0021000-c0022000 r--p 00021000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1 c0022000-c0024000 rw-p 00022000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1 c0028000-c003c000 r-xp 00000000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c003c000-c003d000 ---p 00014000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c003d000-c003e000 r--p 00015000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c003e000-c003f000 rw-p 00016000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c0040000-c01b1000 r-xp 00000000 08:01 535733 /usr/lib/m68k-linux-gnu/libc.so.6 (gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/libc.so.6 | grep .text 12 .text 00113e10 0002cbd0 0002cbd0 0002cbd0 2**2 (gdb) print/x 0x2cbd0 + 0xc0040000 $1 = 0xc006cbd0 (gdb) add-symbol-file /usr/lib/m68k-linux-gnu/libc.so.6 0xc006cbd0 add symbol table from file "/usr/lib/m68k-linux-gnu/libc.so.6" at .text_addr = 0xc006cbd0 (y or n) y Reading symbols from /usr/lib/m68k-linux-gnu/libc.so.6... Reading symbols from /usr/lib/debug/.build-id/5b/0cdf602093304a2dff92c43c45773f6114d4b6.debug... warning: td_ta_new failed: generic error warning: File "/usr/lib/m68k-linux-gnu/libthread_db.so.1" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load". To enable execution of this file add add-auto-load-safe-path /usr/lib/m68k-linux-gnu/libthread_db.so.1 line to your configuration file "/root/.config/gdb/gdbinit". To completely disable this security protection add set auto-load safe-path / line to your configuration file "/root/.config/gdb/gdbinit". For more information about this security protection see the "Auto-loading safe path" section in the GDB manual. E.g., run from the shell: info "(gdb)Auto-loading safe path" warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. (gdb) bt ... #7 0xc0145524 in __stack_chk_fail () at stack_chk_fail.c:24 #8 0xc0755bd6 in ?? () #9 0x00000000 in ?? () (gdb) shell cat /proc/10276/maps | grep -i -E "^c07" c0784000-c0788000 r--p 00178000 08:01 533929 /usr/lib/m68k-linux-gnu/libdb-5.3.so c0788000-c078e000 rw-p 0017c000 08:01 533929 /usr/lib/m68k-linux-gnu/libdb-5.3.so c078e000-c0796000 r-xp 00000000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25 c0796000-c0797000 ---p 00008000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25 c0797000-c0798000 r--p 00009000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25 c0798000-c0799000 rw-p 0000a000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25 (gdb) shell cat /proc/10276/maps | grep -i -E "^c06" c0600000-c0601000 rw-p 00004000 08:01 539181 /usr/lib/m68k-linux-gnu/sasl2/libanonymous.so.2.0.25 c0602000-c0607000 r-xp 00000000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 c0607000-c0609000 ---p 00005000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 c0609000-c060a000 r--p 00005000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 c060a000-c060b000 rw-p 00006000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 c060c000-c0784000 r-xp 00000000 08:01 533929 /usr/lib/m68k-linux-gnu/libdb-5.3.so (gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/libdb-5.3.so | grep .text 12 .text 0012aef4 0003109c 0003109c 0003109c 2**2 (gdb) print/x 0x0003109c $2 = 0x3109c (gdb) print/x 0x0003109c + 0xc060c000 $3 = 0xc063d09c (gdb) add-symbol-file /usr/lib/m68k-linux-gnu/libdb-5.3.so 0xc063d09c add symbol table from file "/usr/lib/m68k-linux-gnu/libdb-5.3.so" at .text_addr = 0xc063d09c (y or n) y Reading symbols from /usr/lib/m68k-linux-gnu/libdb-5.3.so... Reading symbols from /usr/lib/debug/.build-id/6a/b236c10c2a7b9590b0403b5766904e0f4d324a.debug... (gdb) bt ... #12 0xc0703f86 in __db_open_pp (dbp=0xd00087b0, txn=<optimized out>, fname=0xc0605cb9 "/etc/sasldb2", dname=0x0, type=DB_HASH, flags=1, mode=432) at ../src/db/db_iface.c:1193 #13 0xc0604248 in ?? () #14 0xd00087b0 in ?? () #15 0x00000000 in ?? () (gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 | grep .text 11 .text 000027f0 0000138c 0000138c 0000138c 2**2 (gdb) print/x 0x0000138c + 0xc0602000 $4 = 0xc060338c (gdb) add-symbol-file /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 0xc060338c add symbol table from file "/usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25" at .text_addr = 0xc060338c (y or n) y Reading symbols from /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25... Reading symbols from /usr/lib/debug/.build-id/29/c8e688eb61b57bcd21794b5403feefe1272dfd.debug... (gdb) bt ... #15 0xc0603572 in sasldb_auxprop_store (glob_context=0x0, sparams=0xd00077b8, ctx=0xd0007a58, user=0xeffffed9 "no:such:user", ulen=12) at ../../plugins/sasldb.c:258 #16 0xc002d26c in ?? () #17 0x00000000 in ?? () (gdb) shell cat /proc/10276/maps | grep -i -E "^c00" c0000000-c0020000 r-xp 00000000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1 c0020000-c0021000 rw-p 00000000 00:00 0 c0021000-c0022000 r--p 00021000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1 c0022000-c0024000 rw-p 00022000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1 c0028000-c003c000 r-xp 00000000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c003c000-c003d000 ---p 00014000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c003d000-c003e000 r--p 00015000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c003e000-c003f000 rw-p 00016000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 c0040000-c01b1000 r-xp 00000000 08:01 535733 /usr/lib/m68k-linux-gnu/libc.so.6 (gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 | grep .text 12 .text 0000e284 00003db0 00003db0 00003db0 2**2 (gdb) print/x 0x00003db0 + 0xc0028000 $5 = 0xc002bdb0 (gdb) add-symbol-file /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 0xc002bdb0 add symbol table from file "/usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25" at .text_addr = 0xc002bdb0 (y or n) y Reading symbols from /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25... Reading symbols from /usr/lib/debug/.build-id/0f/8954c0644d1a9efec7973fb3198b8fd7649d5f.debug... (gdb) set width 0 (gdb) set pagination off (gdb) bt ... #17 0xc00366dc in sasl_setpass (conn=0xd0006670, user=0xeffffed9 "no:such:user", pass=0xd0006608 "test\ntest", passlen=9, oldpass=0x0, oldpasslen=0, flags=1) at ../../lib/server.c:186 #18 0xd0001534 in ?? () ... (gdb) shell cat /proc/10276/maps | grep -i -E "^d00" d0000000-d0002000 r-xp 00000000 08:01 539212 /usr/sbin/saslpasswd2 d0003000-d0004000 r--p 00003000 08:01 539212 /usr/sbin/saslpasswd2 d0004000-d0005000 rw-p 00004000 08:01 539212 /usr/sbin/saslpasswd2 d0005000-d0026000 rwxp 00000000 00:00 0 [heap] (gdb) shell objdump --all-headers /usr/sbin/saslpasswd2 | grep .text 13 .text 00000950 000010b8 000010b8 000010b8 2**2 (gdb) print/x 0x000010b8 + 0xd0000000 $6 = 0xd00010b8 (gdb) add-symbol-file /usr/sbin/saslpasswd2 0xd00010b8 add symbol table from file "/usr/sbin/saslpasswd2" at .text_addr = 0xd00010b8 (y or n) y Reading symbols from /usr/sbin/saslpasswd2... Reading symbols from /usr/lib/debug/.build-id/bb/e83c9ae2d4877c67bd5148237aa2c49c9a9be1.debug... (gdb) bt #0 __pthread_kill_implementation (threadid=3227271200, signo=6, no_tid=0) at pthread_kill.c:44 #1 0xc00c1ad4 in __pthread_kill_internal (signo=6, threadid=3227271200) at pthread_kill.c:78 #2 __GI___pthread_kill (threadid=3227271200, signo=6) at pthread_kill.c:89 #3 0xc007e91a in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26 #4 0xc006cc86 in __GI_abort () at abort.c:79 #5 0xc00b5716 in __libc_message (fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:150 #6 0xc014553c in __GI___fortify_fail (msg=0xc019e386 "stack smashing detected") at fortify_fail.c:24 #7 0xc0145524 in __stack_chk_fail () at stack_chk_fail.c:24 #8 0xc0755bd6 in __os_unique_id (env=0xd0007ad8, idp=0xeffff5fc) at ../src/os/os_uid.c:55 #9 0xc0753558 in __os_fileid (env=0xd0007ad8, fname=0xd0008bd8 "/etc/__db.sasldb2", unique_okay=1, fidp=<optimized out>) at ../src/os/os_fid.c:100 #10 0xc073295c in __fop_file_setup (dbp=0xd00087b0, ip=0x0, txn=<optimized out>, name=0xc0605cb9 "/etc/sasldb2", mode=432, flags=1, retidp=0xeffff984) at ../src/fileops/fop_util.c:639 #11 0xc070934a in __db_open (dbp=0xd00087b0, ip=0x0, txn=0x0, fname=0xc0605cb9 "/etc/sasldb2", dname=0x0, type=DB_HASH, flags=1, mode=432, meta_pgno=0) at ../src/db/db_open.c:187 #12 0xc0703f86 in __db_open_pp (dbp=0xd00087b0, txn=<optimized out>, fname=0xc0605cb9 "/etc/sasldb2", dname=0x0, type=DB_HASH, flags=1, mode=432) at ../src/db/db_iface.c:1193 #13 0xc0604248 in berkeleydb_open (utils=0xd0007990, conn=0xd0006670, rdwr=1, mbdb=0xeffffa94) at ../../sasldb/db_berkeley.c:107 #14 0xc0604604 in _sasldb_putdata (utils=0xd0007990, context=0xd0006670, authid=0xd0007a98 "no:such:user", realm=0xd0006618 "debian", propName=0xc003a2c2 "userPassword", data_in=0xd000832e "test\ntest", data_len=9) at ../../sasldb/db_berkeley.c:305 #15 0xc0603572 in sasldb_auxprop_store (glob_context=0x0, sparams=0xd00077b8, ctx=0xd0007a58, user=0xeffffed9 "no:such:user", ulen=12) at ../../plugins/sasldb.c:258 #16 0xc002d26c in sasl_auxprop_store (conn=0xd0006670, ctx=0xd0007a58, user=0xeffffed9 "no:such:user") at ../../lib/auxprop.c:1019 #17 0xc00366dc in sasl_setpass (conn=0xd0006670, user=0xeffffed9 "no:such:user", pass=0xd0006608 "test\ntest", passlen=9, oldpass=0x0, oldpasslen=0, flags=1) at ../../lib/server.c:186 #18 0xd0001534 in main (argc=3, argv=0xeffffdd4) at ../../utils/saslpasswd.c:419 #19 0xc006ceee in __libc_start_call_main (main=0xd00010b8 <main>, argc=3, argv=0xeffffdd4) at ../sysdeps/nptl/libc_start_call_main.h:58 #20 0xc006cf9c in __libc_start_main_impl (main=0xd00010b8 <main>, argc=3, argv=0xeffffdd4, init=0x0, fini=0x0, rtld_fini=0xc0005c2c, stack_end=0xeffffdd4) at libc-start.c:360 #21 0xd00016ac in _start () (gdb) directory /home/benutzer/source/libdb5.3/orig/db5.3-5.3.28+dfsg2/src Source directories searched: /home/benutzer/source/libdb5.3/orig/db5.3-5.3.28+dfsg2/src:$cdir:$cwd (gdb) list __os_unique_id 18 */ 19 void 20 __os_unique_id(env, idp) 21 ENV *env; 22 u_int32_t *idp; 23 { 24 DB_ENV *dbenv; 25 db_timespec v; 26 pid_t pid; 27 u_int32_t id; 28 29 *idp = 0; 30 31 dbenv = env == NULL ? NULL : env->dbenv; 32 33 /* 34 * Our randomized value is comprised of our process ID, the current 35 * time of day and a stack address, all XOR'd together. 36 */ 37 __os_id(dbenv, &pid, NULL); 38 __os_gettime(env, &v, 1); 39 40 id = (u_int32_t)pid ^ 41 (u_int32_t)v.tv_sec ^ (u_int32_t)v.tv_nsec ^ P_TO_UINT32(&pid); 42 43 /* 44 * We could try and find a reasonable random-number generator, but 45 * that's not all that easy to do. Seed and use srand()/rand(), if 46 * we can find them. 47 */ 48 if (DB_GLOBAL(uid_init) == 0) { 49 DB_GLOBAL(uid_init) = 1; 50 srand((u_int)id); 51 } 52 id ^= (u_int)rand(); 53 54 *idp = id; 55 } (gdb) up #1 0xc00c1ad4 in __pthread_kill_internal (signo=6, threadid=3227271200) at pthread_kill.c:78 (gdb) #2 __GI___pthread_kill (threadid=3227271200, signo=6) at pthread_kill.c:89 (gdb) #3 0xc007e91a in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26 (gdb) #4 0xc006cc86 in __GI_abort () at abort.c:79 (gdb) #5 0xc00b5716 in __libc_message (fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:150 (gdb) #6 0xc014553c in __GI___fortify_fail (msg=0xc019e386 "stack smashing detected") at fortify_fail.c:24 (gdb) #7 0xc0145524 in __stack_chk_fail () at stack_chk_fail.c:24 (gdb) #8 0xc0755bd6 in __os_unique_id (env=0xd0007ad8, idp=0xeffff5fc) at ../src/os/os_uid.c:55 55 } (gdb) print sizeof(v) $7 = 12 (gdb) print v $8 = {tv_sec = 1712964817, tv_nsec = 0} (gdb) ptype /o v type = struct { /* 0 | 8 */ time_t tv_sec; /* 8 | 4 */ long tv_nsec; /* total size (bytes): 12 */ } (gdb) print id $9 = <optimized out> (gdb) print pid $10 = 10276 (gdb) print dbenv $11 = <optimized out> (gdb) print sizeof(pid) $12 = 4 (gdb) print &pid $13 = (pid_t *) 0xeffff5b0 (gdb) print &v $14 = (db_timespec *) 0xeffff5b4 (gdb)
