Control: reopen 921959
Control: reassign 921959 tftpd 0.17-22
Hello Everyone,
I hope it is ok to reopen and reassign this report to package tftpd,
which I assume Alison Chaiken has installed, based on the addresses
in the supplied backtrace.
I assume this is the result of some implicit "Object Size Checking"
used by the compiler in "__strcpy_chk",
while in tftpd.c:624 is just a "strcpy" [1].
In the backtrace the parameter destlen has just a value of 0.
And [2] shows in that case we divert into the error path.
Unfortunately I cannot find the last amd64 build logs from the
developer information page, but the i386 log shows following
warning [3] since 0.17-22.
The log contains one more such warning.
So it looks like the compiler could not determine the available
memory in the pointer tp->th_msg.
This may be related to the -D_FORTIFY_SOURCE=2 that was not showing up
in the build log for 0.17-21.
Attached file contains some more details.
Kind regards,
Bernhard
[1]
(gdb) list tftpd.c:607,631
607 static void
608 nak(int error)
609 {
610 register struct tftphdr *tp;
611 int length;
612 register struct errmsg *pe;
613
614 tp = (struct tftphdr *)buf;
615 tp->th_opcode = htons((u_short)ERROR);
616 tp->th_code = htons((u_short)error);
617 for (pe = errmsgs; pe->e_code >= 0; pe++)
618 if (pe->e_code == error)
619 break;
620 if (pe->e_code < 0) {
621 pe->e_msg = strerror(error - 100);
622 tp->th_code = EUNDEF; /* set 'undef' errorcode */
623 }
624 strcpy(tp->th_msg, pe->e_msg);
<
625 length = strlen(pe->e_msg);
626 tp->th_msg[length] = '\0';
627 length += 5;
628 if (sendto(peer, buf, length, 0, (struct sockaddr *),
fromlen) != length)
629 syslog(LOG_ERR, "nak: %m\n");
630 }
[2]
(gdb) list strcpy_chk.c:30
25 char *
26 __strcpy_chk (char *dest, const char *src, size_t destlen)
27 {
28size_t len = strlen (src);
29if (len >= destlen)
30 __chk_fail ();
31
32return memcpy (dest, src, len + 1);
33 }
[3]
https://buildd.debian.org/status/fetch.php?pkg=netkit-tftp=i386=0.17-22=1544734969=0
...
cd /<>/obj-i686-linux-gnu/tftp && /usr/bin/cc -g -O2
-fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -o
CMakeFiles/tftp.dir/tftpsubs.c.o -c /<>/tftp/tftpsubs.c
...
In file included from /usr/include/string.h:494,
from /<>/tftpd/tftpd.c:66:
In function 'strcpy',
inlined from 'nak' at /<>/tftpd/tftpd.c:624:2:
/usr/include/i386-linux-gnu/bits/string_fortified.h:90:10: warning:
'__builtin___strcpy_chk' writing 1 or more bytes into a region of size 0
overflows the destination [-Wstringop-overflow=]
return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
^~
...
# Buster amd64 qemu VM 2019-02-25
apt update
apt dist-upgrade
apt install gdb
#
apt install atftpd atftpd-dbgsym
gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex run -ex
'disassemble main' --args /usr/sbin/in.tftpd
Reading symbols from /usr/sbin/in.tftpd...Reading symbols from
/usr/lib/debug/.build-id/4a/f9379ec9fd666c9dd97dad57bf0c652b5664fe.debug...done.
...
Dump of assembler code for function main:
...
-> no line with offset 7a2
apt remove --purge atftpd atftpd-dbgsym
apt install tftp-hpa tftp-hpa-dbg
gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex run -ex
'disassemble main' --args /usr/sbin/in.tftpd
Reading symbols from /usr/sbin/in.tftpd...Reading symbols from
/usr/lib/debug/.build-id/d1/27b4ec61c7068d74fcc0a7c63d79180efc8416.debug...done.
...
Dump of assembler code for function main:
...
-> no line with offset 7a2
apt remove --purge tftp-hpa tftp-hpa-dbg
apt install tftpd tftpd-dbgsym
gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex run -ex
'disassemble main' --args /usr/sbin/in.tftpd
Reading symbols from /usr/sbin/in.tftpd...Reading symbols from
/usr/lib/debug/.build-id/71/ec94654597b3b11d2d01a17ce776065786a694.debug...done.
...
Dump of assembler code for function main:
...
0x679d <+1149>: callq 0x68d0
0x67a2 <+1154>: mov$0x1,%edi
...
apt remove --purge tftpd tftpd-dbgsym
--> So assuming Alison Chaiken used package "tftpd" --> src:netkit-tftp
#
apt install dpkg-dev devscripts
mkdir /tmp/source/netkit-tftp/orig -p
cd/tmp/source/netkit-tftp/orig
apt source netkit-tftp
cd
mkdir /tmp/source/libc6/orig -p
cd/tmp/source/libc6/orig
apt source libc6
cd