Bug#893167: Stack smashing protection trigged in eboard
Thank you, I have just committed a fix for this to the github repository,
https://github.com/fbergo/eboard
On Tue, Jul 31, 2018 at 2:54 PM Bernhard Übelacker
wrote:
> Hello,
> just tried to reproduce the stack smashing.
>
> It looks like the variable "gdouble c[3];" in colorb_csok
> needs to be a "gdouble c[4];".
>
> Did not find an related upstream ticket, neither in old SF nor at Github.
> Also at Github this function was not yet changed, so this should be
> forwarded to upstream.
>
> See details below.
>
> Kind regards,
> Bernhard
>
>
>
>
> # With a locally rebuild version to get debug information.
>
> (gdb) cont
> Continuing.
>
> Hardware watchpoint 2: *0x7fffd428
>
> Old value = -1459212032
> New value = 0
> gtk_color_selection_get_color (colorsel=0x55992370,
> color=0x7fffd410) at ./gtk/gtkcolorsel.c:2579
> 2579./gtk/gtkcolorsel.c: Datei oder Verzeichnis nicht gefunden.
> 1: x/i $pc
> => 0x77a01c6e : add$0x8,%rsp
> (gdb) bt
> #0 0x77a01c6e in gtk_color_selection_get_color
> (colorsel=0x55992370, color=0x7fffd410) at ./gtk/gtkcolorsel.c:2579
> #1 0x555e6cdc in colorb_csok(_GtkWidget*, void*) (b= out>, data=0x558ec810) at widgetproxy.cc:364
> #2 0x764f0f6d in g_closure_invoke () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #3 0x76503d3e in () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #4 0x7650c3f5 in g_signal_emit_valist () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #5 0x7650ce0f in g_signal_emit () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #6 0x779e7785 in gtk_real_button_released (button=0x559564e0)
> at ./gtk/gtkbutton.c:1712
> #7 0x764f0f6d in g_closure_invoke () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #8 0x76503e0e in () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #9 0x7650c3f5 in g_signal_emit_valist () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #10 0x7650ce0f in g_signal_emit () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #11 0x779e6709 in gtk_button_button_release
> (widget=widget@entry=0x559564e0,
> event=) at ./gtk/gtkbutton.c:1604
> #12 0x77a8c2bb in _gtk_marshal_BOOLEAN__BOXED
> (closure=0x556afa50, return_value=0x7fffdec0,
> n_param_values=, param_values=0x7fffdf20,
> invocation_hint=, marshal_data=) at
> ./gtk/gtkmarshalers.c:84
> #13 0x764f0f6d in g_closure_invoke () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #14 0x76503ac8 in () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #15 0x7650bd8f in g_signal_emit_valist () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #16 0x7650ce0f in g_signal_emit () at
> /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
> #17 0x77ba227c in gtk_widget_event_internal
> (widget=widget@entry=0x559564e0,
> event=event@entry=0x55a0f560) at ./gtk/gtkwidget.c:5010
> #18 0x77ba2517 in IA__gtk_widget_event
> (widget=widget@entry=0x559564e0,
> event=event@entry=0x55a0f560) at ./gtk/gtkwidget.c:4807
> #19 0x77a8a55c in IA__gtk_propagate_event (widget=0x559564e0,
> event=0x55a0f560) at ./gtk/gtkmain.c:2503
> #20 0x77a8a95b in IA__gtk_main_do_event (event=) at
> ./gtk/gtkmain.c:1698
> #21 0x7770005c in gdk_event_dispatch (source=,
> callback=, user_data=) at
> ./gdk/x11/gdkevents-x11.c:2425
> #22 0x76215287 in g_main_context_dispatch () at
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #23 0x762154c0 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #24 0x762157d2 in g_main_loop_run () at
> /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
> #25 0x77a89987 in IA__gtk_main () at ./gtk/gtkmain.c:1270
> #26 0x5557d854 in main (argc=, argv= out>) at main.cc:108
> #27 0x755b0b17 in __libc_start_main (main=0x5557d630 ,
> argc=1, argv=0x7fffe578, init=, fini=,
> rtld_fini=, stack_end=0x7fffe568)
> at ../csu/libc-start.c:310
> #28 0x5557dfea in _start () at main.cc:97
> (gdb)
>
>
>
>
>
> (gdb) list gtk_color_selection_get_color
> 2566void
> 2567gtk_color_selection_get_color (GtkColorSelection *colorsel,
> 2568 gdouble *color)
> 2569{
> 2570 ColorSelectionPrivate *priv;
> 2571
> 2572 g_return_if_fail (GTK_IS_COLOR_SELECTION (colorsel));
> 2573
> 2574 priv = colorsel->private_data;
> 2575 color[0] = priv->color[COLORSEL_RED];
> 2576 color[1] = priv->color[COLORSEL_GREEN];
> 2577 color[2] = priv->color[COLORSEL_BLUE];
> 2578 color[3] = priv->has_opacity ? priv->color[COLORSEL_OPACITY] :
> 65535; <--- Here we access memory beyond the variable
> "gdouble c[3];"
> 2579}
>
>
>
>
> (gdb) list colorb_csok
> 358
> 359 void colorb_csok(GtkWidget *b,gpointer data) {
> 360 ColorButton *me;
> 361 me=(ColorButton *)data;
> 362
Bug#893167: Stack smashing protection trigged in eboard
Hello,
just tried to reproduce the stack smashing.
It looks like the variable "gdouble c[3];" in colorb_csok
needs to be a "gdouble c[4];".
Did not find an related upstream ticket, neither in old SF nor at Github.
Also at Github this function was not yet changed, so this should be
forwarded to upstream.
See details below.
Kind regards,
Bernhard
# With a locally rebuild version to get debug information.
(gdb) cont
Continuing.
Hardware watchpoint 2: *0x7fffd428
Old value = -1459212032
New value = 0
gtk_color_selection_get_color (colorsel=0x55992370, color=0x7fffd410)
at ./gtk/gtkcolorsel.c:2579
2579./gtk/gtkcolorsel.c: Datei oder Verzeichnis nicht gefunden.
1: x/i $pc
=> 0x77a01c6e : add$0x8,%rsp
(gdb) bt
#0 0x77a01c6e in gtk_color_selection_get_color
(colorsel=0x55992370, color=0x7fffd410) at ./gtk/gtkcolorsel.c:2579
#1 0x555e6cdc in colorb_csok(_GtkWidget*, void*) (b=,
data=0x558ec810) at widgetproxy.cc:364
#2 0x764f0f6d in g_closure_invoke () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#3 0x76503d3e in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#4 0x7650c3f5 in g_signal_emit_valist () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#5 0x7650ce0f in g_signal_emit () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#6 0x779e7785 in gtk_real_button_released (button=0x559564e0) at
./gtk/gtkbutton.c:1712
#7 0x764f0f6d in g_closure_invoke () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#8 0x76503e0e in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#9 0x7650c3f5 in g_signal_emit_valist () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#10 0x7650ce0f in g_signal_emit () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#11 0x779e6709 in gtk_button_button_release
(widget=widget@entry=0x559564e0, event=) at
./gtk/gtkbutton.c:1604
#12 0x77a8c2bb in _gtk_marshal_BOOLEAN__BOXED (closure=0x556afa50,
return_value=0x7fffdec0, n_param_values=,
param_values=0x7fffdf20, invocation_hint=,
marshal_data=) at ./gtk/gtkmarshalers.c:84
#13 0x764f0f6d in g_closure_invoke () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#14 0x76503ac8 in () at /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#15 0x7650bd8f in g_signal_emit_valist () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#16 0x7650ce0f in g_signal_emit () at
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#17 0x77ba227c in gtk_widget_event_internal
(widget=widget@entry=0x559564e0, event=event@entry=0x55a0f560) at
./gtk/gtkwidget.c:5010
#18 0x77ba2517 in IA__gtk_widget_event
(widget=widget@entry=0x559564e0, event=event@entry=0x55a0f560) at
./gtk/gtkwidget.c:4807
#19 0x77a8a55c in IA__gtk_propagate_event (widget=0x559564e0,
event=0x55a0f560) at ./gtk/gtkmain.c:2503
#20 0x77a8a95b in IA__gtk_main_do_event (event=) at
./gtk/gtkmain.c:1698
#21 0x7770005c in gdk_event_dispatch (source=,
callback=, user_data=) at
./gdk/x11/gdkevents-x11.c:2425
#22 0x76215287 in g_main_context_dispatch () at
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#23 0x762154c0 in () at /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#24 0x762157d2 in g_main_loop_run () at
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#25 0x77a89987 in IA__gtk_main () at ./gtk/gtkmain.c:1270
#26 0x5557d854 in main (argc=, argv=) at
main.cc:108
#27 0x755b0b17 in __libc_start_main (main=0x5557d630 ,
argc=1, argv=0x7fffe578, init=, fini=,
rtld_fini=, stack_end=0x7fffe568)
at ../csu/libc-start.c:310
#28 0x5557dfea in _start () at main.cc:97
(gdb)
(gdb) list gtk_color_selection_get_color
2566void
2567gtk_color_selection_get_color (GtkColorSelection *colorsel,
2568 gdouble *color)
2569{
2570 ColorSelectionPrivate *priv;
2571
2572 g_return_if_fail (GTK_IS_COLOR_SELECTION (colorsel));
2573
2574 priv = colorsel->private_data;
2575 color[0] = priv->color[COLORSEL_RED];
2576 color[1] = priv->color[COLORSEL_GREEN];
2577 color[2] = priv->color[COLORSEL_BLUE];
2578 color[3] = priv->has_opacity ? priv->color[COLORSEL_OPACITY] : 65535;
<--- Here we access memory beyond the variable "gdouble c[3];"
2579}
(gdb) list colorb_csok
358
359 void colorb_csok(GtkWidget *b,gpointer data) {
360 ColorButton *me;
361 me=(ColorButton *)data;
362 gdouble c[3];
363 int v[3];
364
gtk_color_selection_get_color(GTK_COLOR_SELECTION(GTK_COLOR_SELECTION_DIALOG(me->colordlg)->colorsel),c);
365 v[0]=(int)(c[0]*255.0);
366 v[1]=(int)(c[1]*255.0);
367 v[2]=(int)(c[2]*255.0);
368 me->ColorValue=(v[0]<<16)|(v[1]<<8)|v[2];
369 gtk_grab_remove(me->colordlg);
370
Bug#893167: Stack smashing protection trigged in eboard
Package: eboard Version: 1.1.1-6.1+b1 Severity: grave Bug is present in stable/stretch, others not tested. Stock 4.9 kernel on amd64. If you need any more info than this please let me know. I've been able to reproduce on two different systems both amd64. To reproduce: When eboard is started go to settings > preferences > click squares to change the colours for > choose any colour from the palet> click OK This will result in a crash. The output: \*\*\* stack smashing detected ***: eboard terminated === Backtrace: = /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)\[0x7f8923036bfb\] /lib/x86\_64-linux-gnu/libc.so.6(\_\_fortify_fail+0x37)\[0x7f89230bf1f7\] /lib/x86\_64-linux-gnu/libc.so.6(\_\_fortify_fail+0x0)\[0x7f89230bf1c0\] eboard(+0x92e8c)\[0x55aeeb1fce8c\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_closure_invoke+0x145)\[0x7f8924645f75\] /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x21f82)\[0x7f8924657f82\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_signal\_emit\_valist+0xe3c)\[0x7f8924660bdc\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_signal_emit+0x8f)\[0x7f8924660fbf\] /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0(+0x8d0c5)\[0x7f8925d2e0c5\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_closure_invoke+0x145)\[0x7f8924645f75\] /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x2195c)\[0x7f892465795c\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_signal\_emit\_valist+0xe3c)\[0x7f8924660bdc\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_signal_emit+0x8f)\[0x7f8924660fbf\] /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0(+0x8c029)\[0x7f8925d2d029\] /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0(+0x1317bc)\[0x7f8925dd27bc\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_closure_invoke+0x145)\[0x7f8924645f75\] /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0(+0x2237d)\[0x7f892465837d\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_signal\_emit\_valist+0x8df)\[0x7f892466067f\] /usr/lib/x86\_64-linux-gnu/libgobject-2.0.so.0(g\_signal_emit+0x8f)\[0x7f8924660fbf\] /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0(+0x2498ac)\[0x7f8925eea8ac\] /usr/lib/x86\_64-linux-gnu/libgtk-x11-2.0.so.0(gtk\_propagate_event+0xc4)\[0x7f8925dd0f84\] /usr/lib/x86\_64-linux-gnu/libgtk-x11-2.0.so.0(gtk\_main\_do\_event+0x2cb)\[0x7f8925dd133b\] /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0(+0x5acbc)\[0x7f8925a46cbc\] /lib/x86\_64-linux-gnu/libglib-2.0.so.0(g\_main\_context\_dispatch+0x2a7)\[0x7f892436c7f7\] /lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x4aa60)\[0x7f892436ca60\] /lib/x86\_64-linux-gnu/libglib-2.0.so.0(g\_main\_loop\_run+0xc2)\[0x7f892436cd82\] /usr/lib/x86\_64-linux-gnu/libgtk-x11-2.0.so.0(gtk\_main+0xb7)\[0x7f8925dd03b7\] eboard(+0x25cb2)\[0x55aeeb18fcb2\] /lib/x86\_64-linux-gnu/libc.so.6(\_\_libc\_start\_main+0xf1)\[0x7f8922fe62e1\] eboard(+0x2645a)\[0x55aeeb19045a\] === Memory map: 55aeeb16a000-55aeeb23 r-xp fe:01 1179928 /usr/games/eboard 55aeeb42f000-55aeeb433000 r--p 000c5000 fe:01 1179928 /usr/games/eboard 55aeeb433000-55aeeb43c000 rw-p 000c9000 fe:01 1179928 /usr/games/eboard 55aeeb43c000-55aeeb441000 rw-p 00:00 0 55aeec46d000-55aeec835000 rw-p 00:00 0 \[heap\] 7f891e2f5000-7f891e3f5000 rw-s 00:05 421101572 /SYSV (deleted) 7f891e3f5000-7f891e449000 r--p fe:01 1310053 /usr/share/fonts/truetype/dejavu/DejaVuSansMono.ttf 7f891e449000-7f891e46c000 rw-p 00:00 0 7f891e4af000-7f891e55c000 r--p fe:01 1310050 /usr/share/fonts/truetype/dejavu/DejaVuSans-Bold.ttf 7f891e55c000-7f891e615000 r--p fe:01 1310051 /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf 7f891e659000-7f891e6b9000 rw-s 00:05 419561475 /SYSV (deleted) 7f891e6b9000-7f891e6bf000 r-xp fe:01 1184048 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xpm.so 7f891e6bf000-7f891e8be000 ---p 6000 fe:01 1184048 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xpm.so 7f891e8be000-7f891e8bf000 r--p 5000 fe:01 1184048 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xpm.so 7f891e8bf000-7f891e8c rw-p 6000 fe:01 1184048 /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xpm.so 7f891e8c-7f891e8c4000 r-xp fe:01 261221 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 7f891e8c4000-7f891eac3000 ---p 4000 fe:01 261221 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 7f891eac3000-7f891eac4000 r--p 3000 fe:01 261221 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 7f891eac4000-7f891eac5000 rw-p 4000 fe:01 261221
