Debian Bug report logs - #56955
Bad buffers in memstat

version graph

Package: memstat; Maintainer for memstat is Michael Meskes <meskes@debian.org>; Source for memstat is src:memstat.

Reported by: cphipps@doomworld.com

Date: Thu, 3 Feb 2000 20:18:01 UTC

Severity: normal

Tags: security

Found in version 0.2

Done: Bernd Eckenfels <ecki@lina.inka.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>:
Bug#56955; Package memstat. Full text and rfc822 format available.

Acknowledgement sent to Colin Phipps <crp22@cam.ac.uk>:
New Bug report received and forwarded. Copy sent to Bernd Eckenfels <ecki@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Colin Phipps <crp22@cam.ac.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bad buffers in memstat
Date: Thu, 03 Feb 2000 20:05:22 +0000
Package: memstat
Version: 0.2
Severity: normal

memstat parses the /proc/<pid>/maps files into static buffers in memory.
Programs running from a deep directory tree will overflow these buffers.
Potentially, since a malicious user could create directory trees this length
with funny characters etc, this could be a security problem; however I was
not able to trigger any such.

At the very least, very long paths cause memstat to fail:

cph@crp22:/home/cph/Mail% memstat
I don't recognize format of /proc/*/maps.

(that's running a program from a directory with name of ~2000 characters)

/usr/include/linux/limits.h:#define PATH_MAX        4095	/* # chars
in a path name */

-- System Information
Debian Release: woody
Architecture: i386
Kernel: Linux crp22 2.2.15pre5-cph1 #4 Fri Jan 28 20:21:15 GMT 2000 i686

Versions of packages memstat depends on:
ii  libc6                         2.1.2-12   GNU C Library: Shared libraries an



Bug closed, send any further explanations to Colin Phipps <crp22@cam.ac.uk> Request was from Colin Phipps <cphipps@doomworld.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator set to cphipps@doomworld.com. Request was from Colin Phipps <cphipps@doomworld.com> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Colin Phipps <cphipps@doomworld.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bernd Eckenfels <ecki@debian.org>, memstat@packages.qa.debian.org:
Bug#56955; Package memstat. Full text and rfc822 format available.

Acknowledgement sent to Tom Milford <t-milford@northwestern.edu>:
Extra info received and forwarded to list. Copy sent to Bernd Eckenfels <ecki@debian.org>, memstat@packages.qa.debian.org. Full text and rfc822 format available.

Message #16 received at 56955@bugs.debian.org (full text, mbox):

From: Tom Milford <tjm313@merle.it.northwestern.edu>
To: Colin Phipps <crp22@cam.ac.uk>, Bernd Eckenfels <ecki@debian.org>
Subject: Re: Bad buffers in memstat - bug report #56955
Date: Thu, 11 Jul 2002 18:07:10 -0500 (CDT)
> From: Colin Phipps <crp22@cam.ac.uk>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Subject: Bad buffers in memstat
> X-Reportbug-Version: ##VERSION##
> X-Mailer: reportbug ##VERSION##
> Date: Thu, 03 Feb 2000 20:05:22 +0000
> Message-Id: <E12GSVG-0001kr-00@crp22.trin.cam.ac.uk>
> 
> Package: memstat
> Version: 0.2
> Severity: normal
> 
> memstat parses the /proc/<pid>/maps files into static buffers in memory.
> Programs running from a deep directory tree will overflow these buffers.
> Potentially, since a malicious user could create directory trees this
> length
> with funny characters etc, this could be a security problem; however I was
> not able to trigger any such.
> 
> At the very least, very long paths cause memstat to fail:
> 
> cph@crp22:/home/cph/Mail% memstat
> I don't recognize format of /proc/*/maps.
> 
> (that's running a program from a directory with name of ~2000 characters)
> 
> /usr/include/linux/limits.h:#define PATH_MAX        4095	/* # chars
> in a path name */
> 
> -- System Information
> Debian Release: woody
> Architecture: i386
> Kernel: Linux crp22 2.2.15pre5-cph1 #4 Fri Jan 28 20:21:15 GMT 2000 i686
> 
> Versions of packages memstat depends on:
> ii  libc6                         2.1.2-12   GNU C Library: Shared
> libraries an

Greetings,

On my system ( details below) this is not exploitable because any
characters written into path past its length are written back into the
buff variable!  This became evident when I directly fed the sscanf call  a
buff containing a very long path name and saw overflow into buff with gdb.

However, I'd reccomend patching this code in case another platform does
the alignment differently and to alleviate the "I don't recognize the
format of /proc/*/maps" failure.

BTW, this is my first response to a Debian bug, so please forgive errors
in protocol.

Thanks,
Tom Milford

--- memstat-0.2/memstat.c	Sat Nov 20 12:12:22 1999
+++ memstat_patch/memstat.c	Wed Jul 10 23:26:04 2002
@@ -56,7 +56,7 @@
 void read_proc()
 {
   unsigned int nread, pid, lo, hi, offs; unsigned long inode; char *p;
-  char dummy[80], dev[80], buff[2048], path[1024];
+  char dummy[80], dev[80], buff[PATH_MAX + 300], path[PATH_MAX];
   DIR *d; struct dirent *ent; FILE *f;
   mapping m;
   d = opendir("/proc"); 

-- System Information
Debian release: Woody
Architecture: i386
Kernel: Linux zossima 2.4.17 #4 Thu Jul 4 16:04:11 CDT 2002 i686 unknown
gcc version 2.95.4 20011002 (Debian prerelease)






Reply sent to Bernd Eckenfels <ecki@lina.inka.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to cphipps@doomworld.com:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #21 received at 56955-done@bugs.debian.org (full text, mbox):

From: Bernd Eckenfels <ecki@lina.inka.de>
To: 56955-done@bugs.debian.org
Subject: fixed in memstat 0.4
Date: Fri, 12 Jul 2002 06:41:28 +0200
uploaded right now



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 22:01:21 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.