Debian Bug report logs - #371076
cfs: SIGSEGV on write

version graph

Package: cfs; Maintainer for cfs is (unknown);

Reported by: Carlo Contavalli <ccontavalli@commedia.it>

Date: Wed, 7 Jun 2006 15:51:11 UTC

Severity: important

Tags: patch

Found in versions cfs/1.4.1-16, 1.4.1-15

Fixed in versions cfs/1.4.1-17, cfs/1.4.1-15sarge1

Done: Gerrit Pape <pape@smarden.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#371076; Package cfs. Full text and rfc822 format available.

Acknowledgement sent to Carlo Contavalli <ccontavalli@commedia.it>:
New Bug report received and forwarded. Copy sent to Gerrit Pape <pape@smarden.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Carlo Contavalli <ccontavalli@commedia.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cfs: SIGSEGV on write
Date: Wed, 07 Jun 2006 09:39:41 +0200
Package: cfs
Version: 1.4.1-16
Severity: important

Well, after a couple months, a couple days ago I just updated
the whole system. Still trying to understand which is the cause,
but when writing 'some files' cfsd crashes with a SIGSEGV 
and leaves my directory unusable. 

  I've been using cfsd for years now, and I don't believe the 
directory to be corrupted. The application causing the problem
is probably procmail.

By recompiling with nostrip,noopt, I get the following gdb backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x080507ab in dodecrypt (k=0x809f65c, s=0xafd48a10 "ml/\n\n", l=3031, salt=2147480632, vect=0x80b6170 "69e3f26d") at cfs_fh.c:358
358                             s[i+j] ^= k->secmask[(i+j+salt)%smsize];
(gdb) bt
#0  0x080507ab in dodecrypt (k=0x809f65c, s=0xafd48a10 "ml/\n\n", l=3031, salt=2147480632, vect=0x80b6170 "69e3f26d") at cfs_fh.c:358
#1  0x0804ff07 in writeblock (
    blk=0x80b6608 "From ccontavalli  Wed Jun  7 09:23:54 2006\nReturn-Path: <owner-postfix-users@postfix.org>\nDelivered-To: ccontavalli@commedia.it\nReceived:
from mail.commedia.it [83.103.103.151]\n\tby localhost.localdoma"..., fd=4, offset=2147480637, len=3010, key=0x809f65c, vect=0x80b6170 "69e3f26d")
    at cfs_fh.c:164
#2  0x0804e228 in nfsproc_write_2_svc (ap=0xafd4ab24, rp=0xafd4b110) at cfs_nfs.c:410
#3  0x0804bda1 in nfs_program_2 (rqstp=0xafd4b110, transp=0x809abf8) at nfsproto_svr.c:161
#4  0xa7ee797c in svc_getreq_common () from /lib/tls/libc.so.6
#5  0xa7ee75d1 in svc_getreq_poll () from /lib/tls/libc.so.6
#6  0xa7ee7f9e in svc_run () from /lib/tls/libc.so.6
#7  0x08049ade in main (argc=1, argv=0xafd4b274) at cfs.c:263
(gdb) p i
$1 = 3016
(gdb) p j
$2 = 1
(gdb)




-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages cfs depends on:
ii  libc6                         2.3.6-7    GNU C Library: Shared libraries
ii  nfs-kernel-server             1:1.0.7-17 Kernel NFS server support

cfs recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#371076; Package cfs. Full text and rfc822 format available.

Acknowledgement sent to 371076@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. Full text and rfc822 format available.

Message #10 received at 371076@bugs.debian.org (full text, mbox):

From: Gerrit Pape <pape@smarden.org>
To: Carlo Contavalli <ccontavalli@commedia.it>, 371076@bugs.debian.org
Subject: Re: Bug#371076: cfs: SIGSEGV on write
Date: Mon, 12 Jun 2006 08:18:28 +0000
On Wed, Jun 07, 2006 at 09:39:41AM +0200, Carlo Contavalli wrote:
> Well, after a couple months, a couple days ago I just updated
> the whole system. Still trying to understand which is the cause,
> but when writing 'some files' cfsd crashes with a SIGSEGV 
> and leaves my directory unusable. 
> 
>   I've been using cfsd for years now, and I don't believe the 
> directory to be corrupted. The application causing the problem
> is probably procmail.

Hi Carlo, I tried to reproduce it, but failed to crash cfsd with
SIGSEGV.  Maybe it only happens with this specific file when written to
the directory.

Can you try to construct a simple test case to reproduce the crash, so
that I can start debugging?  I'm thinking of something like:

 cmkdir foo; cattach foo; cat somefile >/crypt/foo/bar;

makes cfsd crash.

Thanks, Gerrit.



Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#371076; Package cfs. Full text and rfc822 format available.

Acknowledgement sent to Carlo Contavalli <ccontavalli@commedia.it>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. Full text and rfc822 format available.

Message #15 received at 371076@bugs.debian.org (full text, mbox):

From: Carlo Contavalli <ccontavalli@commedia.it>
To: 371076@bugs.debian.org
Subject: Re: Bug#371076: cfs: SIGSEGV on write
Date: Tue, 13 Jun 2006 00:24:04 +0200
On Mon, Jun 12, 2006 at 08:18:28AM +0000, Gerrit Pape wrote:
> On Wed, Jun 07, 2006 at 09:39:41AM +0200, Carlo Contavalli wrote:
> > Well, after a couple months, a couple days ago I just updated
> > the whole system. Still trying to understand which is the cause,
> > but when writing 'some files' cfsd crashes with a SIGSEGV 
> > and leaves my directory unusable. 
ok, I just had some time to investigate the problem. I've attacched
the strace of the fetchmail process that caused the crash and
the strace of cfsd.

The problem is quite simple: I didn't realize one of the mailbox
files (a backup file) passed the 2.0G of size. So, the upgrade
of the system has nothing to do with the crash.

> Can you try to construct a simple test case to reproduce the crash, so
> that I can start debugging?  I'm thinking of something like:
sorry for the last report, but I really was in a hurry, didn't
have enough time to produce a test case, and was really scared
by the bug :)

Now, it is quite simple to reproduce: append some data to a 2.0G 
file under an encrypted mount, and you should see the crash.

I think the problem is in:

dodecrypt(k,s,l,salt,vect)
     cfskey *k;
     char *s;
     int l;
     int salt;
     char *vect;

where salt is used as an index in an array:

   s[i+j] ^= k->secmask[(i+j+salt)%smsize];

However, dodecrypt is almost always called with something like:

     dodecrypt(key,buf,iolen,begin,vect);

where begin is declared as:

     u_long begin;

so, if begin is greater than 2.0G (allowed for an unsigned long), 
dodecrypt gets a negative salt (int). The negative salt leads to 
a negative module to be calculated, underflowing secmask by a 
random amount of data which might be big, depending on smsize.

A quick and dirty fix would probably be to change:

dodecrypt(k,s,l,salt,vect)
     cfskey *k;
     char *s;
     int l;
     u_long salt;
     char *vect;

I don't have enough knowledge about NFS interfaces and 64 bits 
offset support when accessing files (lseek64, ...) to know if
that fix would just be enough, or would just "delay problems"
until the 4G limits is hit... for sure, the daemon shouldn't
read some random data from memory, and shouldn't crash, ...

Cheers,
Carlo

-- 
  GPG Fingerprint: 2383 7B14 4D08 53A4 2C1A CA29 9E98 5431 1A68 6975
                        -------------
A CONS is an object which cares.
		-- Bernie Greenberg.



Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#371076; Package cfs. Full text and rfc822 format available.

Acknowledgement sent to 371076@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. Full text and rfc822 format available.

Message #20 received at 371076@bugs.debian.org (full text, mbox):

From: Gerrit Pape <pape@smarden.org>
To: Carlo Contavalli <ccontavalli@commedia.it>, 371076@bugs.debian.org
Subject: Re: Bug#371076: cfs: SIGSEGV on write
Date: Mon, 10 Jul 2006 09:38:29 +0000
[Message part 1 (text/plain, inline)]
tags 371076 + patch
quit

On Tue, Jun 13, 2006 at 12:24:04AM +0200, Carlo Contavalli wrote:
> The problem is quite simple: I didn't realize one of the mailbox
> files (a backup file) passed the 2.0G of size. So, the upgrade
> of the system has nothing to do with the crash.

> Now, it is quite simple to reproduce: append some data to a 2.0G 
> file under an encrypted mount, and you should see the crash.

Thanks Carlo, I can reproduce it now just fine.

> I think the problem is in:
> 
> dodecrypt(k,s,l,salt,vect)
>      cfskey *k;
>      char *s;
>      int l;
>      int salt;
>      char *vect;
> 
> where salt is used as an index in an array:
> 
>    s[i+j] ^= k->secmask[(i+j+salt)%smsize];
> 
> However, dodecrypt is almost always called with something like:
> 
>      dodecrypt(key,buf,iolen,begin,vect);
> 
> where begin is declared as:
> 
>      u_long begin;
> 
> so, if begin is greater than 2.0G (allowed for an unsigned long), 
> dodecrypt gets a negative salt (int). The negative salt leads to 
> a negative module to be calculated, underflowing secmask by a 
> random amount of data which might be big, depending on smsize.
> 
> A quick and dirty fix would probably be to change:
> 
> dodecrypt(k,s,l,salt,vect)
>      cfskey *k;
>      char *s;
>      int l;
>      u_long salt;
>      char *vect;

Yes, your analysis is correct IMO.

> I don't have enough knowledge about NFS interfaces and 64 bits 
> offset support when accessing files (lseek64, ...) to know if
> that fix would just be enough, or would just "delay problems"
> until the 4G limits is hit... for sure, the daemon shouldn't
> read some random data from memory, and shouldn't crash, ...

I suggest this patch based on your suggestion, it fixes the problem you
report.  On my sid system, I wasn't able to create a file greater than
2GB in a crypted directory anyway, due to EFBIG.

Thanks, Gerrit.
[diff (text/plain, attachment)]

Tags added: patch Request was from Gerrit Pape <pape@smarden.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Gerrit Pape <pape@smarden.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Carlo Contavalli <ccontavalli@commedia.it>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 371076-close@bugs.debian.org (full text, mbox):

From: Gerrit Pape <pape@smarden.org>
To: 371076-close@bugs.debian.org
Subject: Bug#371076: fixed in cfs 1.4.1-17
Date: Tue, 11 Jul 2006 14:32:11 -0700
Source: cfs
Source-Version: 1.4.1-17

We believe that the bug you reported is fixed in the latest version of
cfs, which is due to be installed in the Debian FTP archive:

cfs_1.4.1-17.diff.gz
  to pool/main/c/cfs/cfs_1.4.1-17.diff.gz
cfs_1.4.1-17.dsc
  to pool/main/c/cfs/cfs_1.4.1-17.dsc
cfs_1.4.1-17_powerpc.deb
  to pool/main/c/cfs/cfs_1.4.1-17_powerpc.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 371076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated cfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 11 Jul 2006 21:01:11 +0000
Source: cfs
Binary: cfs
Architecture: source powerpc
Version: 1.4.1-17
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description: 
 cfs        - Cryptographic Filesystem
Closes: 371076
Changes: 
 cfs (1.4.1-17) unstable; urgency=high
 .
   * cfs_fh.c: doencrypt(), dodecrypt(): make salt unsigned long, not int,
     as so the fuctions are called in read/writeblock(), de/encryptname()
     (fixes SIGSEGV due to integer overflow, thx Carlo Contavalli, closes:
     #371076).
Files: 
 f2ac8a8561ed84041c3fbcccc2f3ba6a 510 utils optional cfs_1.4.1-17.dsc
 7679881e36a9b643f2f13bae4f6180f3 18581 utils optional cfs_1.4.1-17.diff.gz
 b57833664e8011bbdabb039f68b6beef 214340 utils optional cfs_1.4.1-17_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtBf7GJoyQbxwpv8RAkGTAKCSYSGFTlLOX0el42TmYEi3Y7jhswCfUvX+
L+E3b/h0aPK1ChOCZsqJXiA=
=NVHt
-----END PGP SIGNATURE-----




Bug marked as found in version 1.4.1-15. Request was from Gerrit Pape <pape@smarden.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#371076; Package cfs. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. Full text and rfc822 format available.

Message #34 received at 371076@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: 371076@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: cfs SIGSEGV
Date: Tue, 1 Aug 2006 21:14:00 +0200
Please use CVE-2006-3123 for this issue.

Gerrit, please mention it in the proper changelog entry when you're
uploading the next package anyway.

Regards,

	Joey

-- 
This is GNU/Linux Country.  On a quiet night, you can hear Windows reboot.

Please always Cc to me when replying to me on the lists.



Reply sent to Gerrit Pape <pape@smarden.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Carlo Contavalli <ccontavalli@commedia.it>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #39 received at 371076-close@bugs.debian.org (full text, mbox):

From: Gerrit Pape <pape@smarden.org>
To: 371076-close@bugs.debian.org
Subject: Bug#371076: fixed in cfs 1.4.1-15sarge1
Date: Wed, 30 Aug 2006 23:01:41 -0700
Source: cfs
Source-Version: 1.4.1-15sarge1

We believe that the bug you reported is fixed in the latest version of
cfs, which is due to be installed in the Debian FTP archive:

cfs_1.4.1-15sarge1.diff.gz
  to pool/main/c/cfs/cfs_1.4.1-15sarge1.diff.gz
cfs_1.4.1-15sarge1.dsc
  to pool/main/c/cfs/cfs_1.4.1-15sarge1.dsc
cfs_1.4.1-15sarge1_i386.deb
  to pool/main/c/cfs/cfs_1.4.1-15sarge1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 371076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated cfs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 14 Jul 2006 21:15:07 +0000
Source: cfs
Binary: cfs
Architecture: source i386
Version: 1.4.1-15sarge1
Distribution: stable-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description: 
 cfs        - Cryptographic Filesystem
Closes: 371076
Changes: 
 cfs (1.4.1-15sarge1) stable-security; urgency=high
 .
   * cfs_fh.c: doencrypt(), dodecrypt(): make salt unsigned long, not int,
     as so the fuctions are called in read/writeblock(), de/encryptname()
     (fixes SIGSEGV due to integer overflow, thx Carlo Contavalli, closes:
     #371076).
Files: 
 460ec2da0664857b55354a40aaf71961 520 utils optional cfs_1.4.1-15sarge1.dsc
 3ce2e01211dafe7bfb44849894926eda 98376 utils optional cfs_1.4.1.orig.tar.gz
 c9d5f2c91ee97c8c5b694da6806c0d24 18505 utils optional cfs_1.4.1-15sarge1.diff.gz
 e1fdcfb68fe51980f0540da732881b95 185708 utils optional cfs_1.4.1-15sarge1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEz5W1Xm3vHE4uyloRAsETAJ0YZtoGGQn55ta4yTTXEw9OL+MZDQCdFjJ6
JNAicWcgCvbNieiFr6hNVUw=
=WDn7
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 14:50:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:51:09 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.