Package: fakechroot Version: 2.10-2 Severity: important Tags: patch The getsockname function in libfakechroot.c ignores the namelen parameter and overruns the buffer given as name if *namelen is less than sizeof(struct sockaddr_un).
This can be triggered by executing: fakechroot host 127.0.0.1 glibc detects the buffer overrun and kills the process: *** stack smashing detected ***: host terminated According to recent getsockname(2) man pages the result must be truncated if it's longer than *namelen. *namelen should then be set to the length of the complete result so that the caller can recognize that the result has been truncated. See attached patch for a corresponding solution. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.18-194.11.1.el5 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages fakechroot depends on: ii libc6 2.11.2-5 Embedded GNU C Library: Shared lib fakechroot recommends no packages. Versions of packages fakechroot suggests: pn libc6-i386 <none> (no description available) -- no debconf information
diff -ur fakechroot-2.10/src/libfakechroot.c fakechroot-2.10-getsockname/src/libfakechroot.c --- fakechroot-2.10/src/libfakechroot.c 2010-08-25 15:33:34.000000000 +0200 +++ fakechroot-2.10-getsockname/src/libfakechroot.c 2010-09-11 14:16:31.000000000 +0200 @@ -2098,7 +2098,7 @@ strncpy(newname.sun_path, fakechroot_buf, UNIX_PATH_MAX); } - memcpy(name, &newname, sizeof(struct sockaddr_un)); + memcpy(name, &newname, *namelen < sizeof(struct sockaddr_un) ? *namelen : sizeof(struct sockaddr_un)); *namelen = sizeof(newname.sun_family) + strlen(newname.sun_path); return status; }