Report forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>: Bug#371076; Package cfs.
(full text, mbox, link).
Acknowledgement sent to Carlo Contavalli <ccontavalli@commedia.it>:
New Bug report received and forwarded. Copy sent to Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: cfs: SIGSEGV on write
Date: Wed, 07 Jun 2006 09:39:41 +0200
Package: cfs
Version: 1.4.1-16
Severity: important
Well, after a couple months, a couple days ago I just updated
the whole system. Still trying to understand which is the cause,
but when writing 'some files' cfsd crashes with a SIGSEGV
and leaves my directory unusable.
I've been using cfsd for years now, and I don't believe the
directory to be corrupted. The application causing the problem
is probably procmail.
By recompiling with nostrip,noopt, I get the following gdb backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x080507ab in dodecrypt (k=0x809f65c, s=0xafd48a10 "ml/\n\n", l=3031, salt=2147480632, vect=0x80b6170 "69e3f26d") at cfs_fh.c:358
358 s[i+j] ^= k->secmask[(i+j+salt)%smsize];
(gdb) bt
#0 0x080507ab in dodecrypt (k=0x809f65c, s=0xafd48a10 "ml/\n\n", l=3031, salt=2147480632, vect=0x80b6170 "69e3f26d") at cfs_fh.c:358
#1 0x0804ff07 in writeblock (
blk=0x80b6608 "From ccontavalli Wed Jun 7 09:23:54 2006\nReturn-Path: <owner-postfix-users@postfix.org>\nDelivered-To: ccontavalli@commedia.it\nReceived:
from mail.commedia.it [83.103.103.151]\n\tby localhost.localdoma"..., fd=4, offset=2147480637, len=3010, key=0x809f65c, vect=0x80b6170 "69e3f26d")
at cfs_fh.c:164
#2 0x0804e228 in nfsproc_write_2_svc (ap=0xafd4ab24, rp=0xafd4b110) at cfs_nfs.c:410
#3 0x0804bda1 in nfs_program_2 (rqstp=0xafd4b110, transp=0x809abf8) at nfsproto_svr.c:161
#4 0xa7ee797c in svc_getreq_common () from /lib/tls/libc.so.6
#5 0xa7ee75d1 in svc_getreq_poll () from /lib/tls/libc.so.6
#6 0xa7ee7f9e in svc_run () from /lib/tls/libc.so.6
#7 0x08049ade in main (argc=1, argv=0xafd4b274) at cfs.c:263
(gdb) p i
$1 = 3016
(gdb) p j
$2 = 1
(gdb)
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages cfs depends on:
ii libc6 2.3.6-7 GNU C Library: Shared libraries
ii nfs-kernel-server 1:1.0.7-17 Kernel NFS server support
cfs recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>: Bug#371076; Package cfs.
(full text, mbox, link).
Acknowledgement sent to 371076@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
To: Carlo Contavalli <ccontavalli@commedia.it>, 371076@bugs.debian.org
Subject: Re: Bug#371076: cfs: SIGSEGV on write
Date: Mon, 12 Jun 2006 08:18:28 +0000
On Wed, Jun 07, 2006 at 09:39:41AM +0200, Carlo Contavalli wrote:
> Well, after a couple months, a couple days ago I just updated
> the whole system. Still trying to understand which is the cause,
> but when writing 'some files' cfsd crashes with a SIGSEGV
> and leaves my directory unusable.
>
> I've been using cfsd for years now, and I don't believe the
> directory to be corrupted. The application causing the problem
> is probably procmail.
Hi Carlo, I tried to reproduce it, but failed to crash cfsd with
SIGSEGV. Maybe it only happens with this specific file when written to
the directory.
Can you try to construct a simple test case to reproduce the crash, so
that I can start debugging? I'm thinking of something like:
cmkdir foo; cattach foo; cat somefile >/crypt/foo/bar;
makes cfsd crash.
Thanks, Gerrit.
Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>: Bug#371076; Package cfs.
(full text, mbox, link).
Acknowledgement sent to Carlo Contavalli <ccontavalli@commedia.it>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
On Mon, Jun 12, 2006 at 08:18:28AM +0000, Gerrit Pape wrote:
> On Wed, Jun 07, 2006 at 09:39:41AM +0200, Carlo Contavalli wrote:
> > Well, after a couple months, a couple days ago I just updated
> > the whole system. Still trying to understand which is the cause,
> > but when writing 'some files' cfsd crashes with a SIGSEGV
> > and leaves my directory unusable.
ok, I just had some time to investigate the problem. I've attacched
the strace of the fetchmail process that caused the crash and
the strace of cfsd.
The problem is quite simple: I didn't realize one of the mailbox
files (a backup file) passed the 2.0G of size. So, the upgrade
of the system has nothing to do with the crash.
> Can you try to construct a simple test case to reproduce the crash, so
> that I can start debugging? I'm thinking of something like:
sorry for the last report, but I really was in a hurry, didn't
have enough time to produce a test case, and was really scared
by the bug :)
Now, it is quite simple to reproduce: append some data to a 2.0G
file under an encrypted mount, and you should see the crash.
I think the problem is in:
dodecrypt(k,s,l,salt,vect)
cfskey *k;
char *s;
int l;
int salt;
char *vect;
where salt is used as an index in an array:
s[i+j] ^= k->secmask[(i+j+salt)%smsize];
However, dodecrypt is almost always called with something like:
dodecrypt(key,buf,iolen,begin,vect);
where begin is declared as:
u_long begin;
so, if begin is greater than 2.0G (allowed for an unsigned long),
dodecrypt gets a negative salt (int). The negative salt leads to
a negative module to be calculated, underflowing secmask by a
random amount of data which might be big, depending on smsize.
A quick and dirty fix would probably be to change:
dodecrypt(k,s,l,salt,vect)
cfskey *k;
char *s;
int l;
u_long salt;
char *vect;
I don't have enough knowledge about NFS interfaces and 64 bits
offset support when accessing files (lseek64, ...) to know if
that fix would just be enough, or would just "delay problems"
until the 4G limits is hit... for sure, the daemon shouldn't
read some random data from memory, and shouldn't crash, ...
Cheers,
Carlo
--
GPG Fingerprint: 2383 7B14 4D08 53A4 2C1A CA29 9E98 5431 1A68 6975
-------------
A CONS is an object which cares.
-- Bernie Greenberg.
Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>: Bug#371076; Package cfs.
(full text, mbox, link).
Acknowledgement sent to 371076@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
tags 371076 + patch
quit
On Tue, Jun 13, 2006 at 12:24:04AM +0200, Carlo Contavalli wrote:
> The problem is quite simple: I didn't realize one of the mailbox
> files (a backup file) passed the 2.0G of size. So, the upgrade
> of the system has nothing to do with the crash.
> Now, it is quite simple to reproduce: append some data to a 2.0G
> file under an encrypted mount, and you should see the crash.
Thanks Carlo, I can reproduce it now just fine.
> I think the problem is in:
>
> dodecrypt(k,s,l,salt,vect)
> cfskey *k;
> char *s;
> int l;
> int salt;
> char *vect;
>
> where salt is used as an index in an array:
>
> s[i+j] ^= k->secmask[(i+j+salt)%smsize];
>
> However, dodecrypt is almost always called with something like:
>
> dodecrypt(key,buf,iolen,begin,vect);
>
> where begin is declared as:
>
> u_long begin;
>
> so, if begin is greater than 2.0G (allowed for an unsigned long),
> dodecrypt gets a negative salt (int). The negative salt leads to
> a negative module to be calculated, underflowing secmask by a
> random amount of data which might be big, depending on smsize.
>
> A quick and dirty fix would probably be to change:
>
> dodecrypt(k,s,l,salt,vect)
> cfskey *k;
> char *s;
> int l;
> u_long salt;
> char *vect;
Yes, your analysis is correct IMO.
> I don't have enough knowledge about NFS interfaces and 64 bits
> offset support when accessing files (lseek64, ...) to know if
> that fix would just be enough, or would just "delay problems"
> until the 4G limits is hit... for sure, the daemon shouldn't
> read some random data from memory, and shouldn't crash, ...
I suggest this patch based on your suggestion, it fixes the problem you
report. On my sid system, I wasn't able to create a file greater than
2GB in a crypted directory anyway, due to EFBIG.
Thanks, Gerrit.
Source: cfs
Source-Version: 1.4.1-17
We believe that the bug you reported is fixed in the latest version of
cfs, which is due to be installed in the Debian FTP archive:
cfs_1.4.1-17.diff.gz
to pool/main/c/cfs/cfs_1.4.1-17.diff.gz
cfs_1.4.1-17.dsc
to pool/main/c/cfs/cfs_1.4.1-17.dsc
cfs_1.4.1-17_powerpc.deb
to pool/main/c/cfs/cfs_1.4.1-17_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 371076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated cfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 11 Jul 2006 21:01:11 +0000
Source: cfs
Binary: cfs
Architecture: source powerpc
Version: 1.4.1-17
Distribution: unstable
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description:
cfs - Cryptographic Filesystem
Closes: 371076
Changes:
cfs (1.4.1-17) unstable; urgency=high
.
* cfs_fh.c: doencrypt(), dodecrypt(): make salt unsigned long, not int,
as so the fuctions are called in read/writeblock(), de/encryptname()
(fixes SIGSEGV due to integer overflow, thx Carlo Contavalli, closes:
#371076).
Files:
f2ac8a8561ed84041c3fbcccc2f3ba6a 510 utils optional cfs_1.4.1-17.dsc
7679881e36a9b643f2f13bae4f6180f3 18581 utils optional cfs_1.4.1-17.diff.gz
b57833664e8011bbdabb039f68b6beef 214340 utils optional cfs_1.4.1-17_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEtBf7GJoyQbxwpv8RAkGTAKCSYSGFTlLOX0el42TmYEi3Y7jhswCfUvX+
L+E3b/h0aPK1ChOCZsqJXiA=
=NVHt
-----END PGP SIGNATURE-----
Bug marked as found in version 1.4.1-15.
Request was from Gerrit Pape <pape@smarden.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>: Bug#371076; Package cfs.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>.
(full text, mbox, link).
Please use CVE-2006-3123 for this issue.
Gerrit, please mention it in the proper changelog entry when you're
uploading the next package anyway.
Regards,
Joey
--
This is GNU/Linux Country. On a quiet night, you can hear Windows reboot.
Please always Cc to me when replying to me on the lists.
Reply sent to Gerrit Pape <pape@smarden.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Carlo Contavalli <ccontavalli@commedia.it>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: cfs
Source-Version: 1.4.1-15sarge1
We believe that the bug you reported is fixed in the latest version of
cfs, which is due to be installed in the Debian FTP archive:
cfs_1.4.1-15sarge1.diff.gz
to pool/main/c/cfs/cfs_1.4.1-15sarge1.diff.gz
cfs_1.4.1-15sarge1.dsc
to pool/main/c/cfs/cfs_1.4.1-15sarge1.dsc
cfs_1.4.1-15sarge1_i386.deb
to pool/main/c/cfs/cfs_1.4.1-15sarge1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 371076@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gerrit Pape <pape@smarden.org> (supplier of updated cfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 14 Jul 2006 21:15:07 +0000
Source: cfs
Binary: cfs
Architecture: source i386
Version: 1.4.1-15sarge1
Distribution: stable-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Gerrit Pape <pape@smarden.org>
Description:
cfs - Cryptographic Filesystem
Closes: 371076
Changes:
cfs (1.4.1-15sarge1) stable-security; urgency=high
.
* cfs_fh.c: doencrypt(), dodecrypt(): make salt unsigned long, not int,
as so the fuctions are called in read/writeblock(), de/encryptname()
(fixes SIGSEGV due to integer overflow, thx Carlo Contavalli, closes:
#371076).
Files:
460ec2da0664857b55354a40aaf71961 520 utils optional cfs_1.4.1-15sarge1.dsc
3ce2e01211dafe7bfb44849894926eda 98376 utils optional cfs_1.4.1.orig.tar.gz
c9d5f2c91ee97c8c5b694da6806c0d24 18505 utils optional cfs_1.4.1-15sarge1.diff.gz
e1fdcfb68fe51980f0540da732881b95 185708 utils optional cfs_1.4.1-15sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEz5W1Xm3vHE4uyloRAsETAJ0YZtoGGQn55ta4yTTXEw9OL+MZDQCdFjJ6
JNAicWcgCvbNieiFr6hNVUw=
=WDn7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 14:50:14 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.