Bug#921959: openbsd-inetd: buffer overflow in tftpd caused by wrong path

2019-02-25 Thread Bernhard Übelacker 
Control: reopen 921959
Control: reassign 921959 tftpd 0.17-22 


Hello Everyone,
I hope it is ok to reopen and reassign this report to package tftpd,
which I assume Alison Chaiken has installed, based on the addresses
in the supplied backtrace.

I assume this is the result of some implicit "Object Size Checking"
used by the compiler in "__strcpy_chk",
while in tftpd.c:624 is just a "strcpy" [1].

In the backtrace the parameter destlen has just a value of 0.
And [2] shows in that case we divert into the error path.

Unfortunately I cannot find the last amd64 build logs from the
developer information page, but the i386 log shows following
warning [3] since 0.17-22.
The log contains one more such warning.

So it looks like the compiler could not determine the available
memory in the pointer tp->th_msg.
This may be related to the -D_FORTIFY_SOURCE=2 that was not showing up
in the build log for 0.17-21.

Attached file contains some more details.

Kind regards,
Bernhard



[1]
(gdb) list tftpd.c:607,631
607 static void
608 nak(int error)
609 {
610 register struct tftphdr *tp;
611 int length;
612 register struct errmsg *pe;
613
614 tp = (struct tftphdr *)buf;
615 tp->th_opcode = htons((u_short)ERROR);
616 tp->th_code = htons((u_short)error);
617 for (pe = errmsgs; pe->e_code >= 0; pe++)
618 if (pe->e_code == error)
619 break;
620 if (pe->e_code < 0) {
621 pe->e_msg = strerror(error - 100);
622 tp->th_code = EUNDEF;   /* set 'undef' errorcode */
623 }
624 strcpy(tp->th_msg, pe->e_msg);  
  <
625 length = strlen(pe->e_msg);
626 tp->th_msg[length] = '\0';
627 length += 5;
628 if (sendto(peer, buf, length, 0, (struct sockaddr *), 
fromlen) != length)
629 syslog(LOG_ERR, "nak: %m\n");
630 }




[2]
(gdb) list strcpy_chk.c:30
25  char *
26  __strcpy_chk (char *dest, const char *src, size_t destlen)
27  {
28size_t len = strlen (src);
29if (len >= destlen)
30  __chk_fail ();  
31
32return memcpy (dest, src, len + 1);
33  }




[3]
https://buildd.debian.org/status/fetch.php?pkg=netkit-tftp=i386=0.17-22=1544734969=0

...
cd /<>/obj-i686-linux-gnu/tftp && /usr/bin/cc   -g -O2 
-fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat 
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2   -o 
CMakeFiles/tftp.dir/tftpsubs.c.o   -c /<>/tftp/tftpsubs.c
...
In file included from /usr/include/string.h:494,
 from /<>/tftpd/tftpd.c:66:
In function 'strcpy',
inlined from 'nak' at /<>/tftpd/tftpd.c:624:2:
/usr/include/i386-linux-gnu/bits/string_fortified.h:90:10: warning: 
'__builtin___strcpy_chk' writing 1 or more bytes into a region of size 0 
overflows the destination [-Wstringop-overflow=]
   return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
  ^~
...


# Buster amd64 qemu VM 2019-02-25

apt update
apt dist-upgrade

apt install gdb 


#


apt install atftpd atftpd-dbgsym
gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex run -ex 
'disassemble main' --args /usr/sbin/in.tftpd
Reading symbols from /usr/sbin/in.tftpd...Reading symbols from 
/usr/lib/debug/.build-id/4a/f9379ec9fd666c9dd97dad57bf0c652b5664fe.debug...done.
...
Dump of assembler code for function main:
...
-> no line with offset 7a2
apt remove --purge atftpd atftpd-dbgsym


apt install tftp-hpa tftp-hpa-dbg
gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex run -ex 
'disassemble main' --args /usr/sbin/in.tftpd
Reading symbols from /usr/sbin/in.tftpd...Reading symbols from 
/usr/lib/debug/.build-id/d1/27b4ec61c7068d74fcc0a7c63d79180efc8416.debug...done.
...
Dump of assembler code for function main:
...
-> no line with offset 7a2
apt remove --purge tftp-hpa tftp-hpa-dbg


apt install tftpd tftpd-dbgsym
gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'b main' -ex run -ex 
'disassemble main' --args /usr/sbin/in.tftpd
Reading symbols from /usr/sbin/in.tftpd...Reading symbols from 
/usr/lib/debug/.build-id/71/ec94654597b3b11d2d01a17ce776065786a694.debug...done.
...
Dump of assembler code for function main:
...
   0x679d <+1149>:  callq  0x68d0 
   0x67a2 <+1154>:  mov$0x1,%edi
...
apt remove --purge tftpd tftpd-dbgsym


--> So assuming Alison Chaiken used package "tftpd" --> src:netkit-tftp


#


apt install dpkg-dev devscripts


mkdir /tmp/source/netkit-tftp/orig -p
cd/tmp/source/netkit-tftp/orig
apt source netkit-tftp
cd


mkdir /tmp/source/libc6/orig -p
cd/tmp/source/libc6/orig
apt source libc6
cd

Bug#921959: openbsd-inetd: buffer overflow in tftpd caused by wrong path

2019-02-10 Thread Marco d'Itri 
On Feb 10, Alison Chaiken  wrote:

> I'm running tftpd between a laptop and an NFS-booted embedded board
> connected by eth0.  When I power the board and try to transfer
> files to it, tftpd will crash, generating core files.  Here is the
Then please reassign this bug to the tftp daemon that you are using.

-- 
ciao,
Marco


signature.asc
Description: PGP signature

Bug#921959: openbsd-inetd: buffer overflow in tftpd caused by wrong path

2019-02-10 Thread Alison Chaiken 
Package: openbsd-inetd
Version: 0.20160825-3
Severity: important


I'm running tftpd between a laptop and an NFS-booted embedded board
connected by eth0.  When I power the board and try to transfer
files to it, tftpd will crash, generating core files.  Here is the
backtrace from one:



$ gdb /usr/sbin/in.tftpd 
core.in\\x2etftpd.65534.6974d7bdcfe9410bb772d64ecf41605a.1790.154976503800
Reading symbols from /usr/sbin/in.tftpd...(no debugging symbols found)...done.
[New LWP 1790]
Core was generated by `in.tftpd /srv/tftp'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x7f2cefaf1535 in __GI_abort () at abort.c:79
#2  0x7f2cefb48778 in __libc_message (action=, 
fmt=fmt@entry=0x7f2cefc5307b "*** %s ***: %s terminated\n")
at ../sysdeps/posix/libc_fatal.c:181
#3  0x7f2cefbd9b3d in __GI___fortify_fail_abort 
(need_backtrace=need_backtrace@entry=0x1, 
msg=msg@entry=0x7f2cefc52ff8 "buffer overflow detected") at 
fortify_fail.c:28
#4  0x7f2cefbd9b71 in __GI___fortify_fail (
msg=msg@entry=0x7f2cefc52ff8 "buffer overflow detected") at 
fortify_fail.c:44
#5  0x7f2cefbd7c70 in __GI___chk_fail () at chk_fail.c:28
#6  0x7f2cefbd7082 in __strcpy_chk (dest=0x564f2a4b4724 
"ftpboot/nitrogen.dtb", 
src=0x564f2a4b20f8 "Access violation", destlen=0x0) at strcpy_chk.c:30
#7  0x564f2a4b094f in ?? ()
#8  0x564f2a4b07a2 in ?? ()
#9  0x7f2cefaf309b in __libc_start_main (main=0x564f2a4b0320, argc=0x2, 
argv=0x7ffc2216ec78, 
init=, fini=, rtld_fini=, 
stack_end=0x7ffc2216ec68) at ../csu/libc-start.c:308
#10 0x564f2a4b07fa in ?? ()

-

The file /tftpboot/nitrogen.dtb is the one I'd like to transfer, but
for some reason, the string without the leading "/t" appears in the
backtrace.   Here are the lines in /etc/inetd.conf that I modified:

-

# /etc/inetd.conf:  see inetd(8) for further informations.
#:BOOT: TFTP service is provided primarily for booting.  Most sites
#   run this only on machines acting as "boot servers."
172.17.0.5:tftp dgram   udp waitnobody  /usr/sbin/tcpd  in.tftpd 
/tftpboot
#192.168.42.67:tftp dgram   udp waitnobody  /usr/sbin/tcpd  
in.tftpd /tftpboot
tftpdgram   udp waitnobody  /usr/sbin/tcpd  
/usr/sbin/in.tftpd /srv/tftp

#:RPC: RPC based services

---

You can see that I should have changed /srv/tftp to /tftpboot.   When
I do so, tftpd stops crashing.   Nonetheless, it would be better for
it to print an error and exit ENOENT than to dump core.

Thanks for your hard work,
Alison Chaiken
ali...@she-devel.com

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.12 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages openbsd-inetd depends on:
ii  libbsd0 0.9.1-1
ii  libc6   2.28-6
ii  libevent-2.1-6  2.1.8-stable-4
ii  libsystemd0 240-5
ii  libwrap07.6.q-27
ii  lsb-base10.2018112800
ii  tcpd7.6.q-27
ii  update-inetd4.49

openbsd-inetd recommends no packages.

openbsd-inetd suggests no packages.

-- no debconf information