buffer overflow in bb-rep.cgi

Dewey Sasser dewey at sasser.com
Fri Jul 24 16:58:31 CEST 2009


I have 3 xymon installations, all 4.3.0 beta 2.

One of them cannot generate an availability report.  I tried 4.2.3 and
got the same symptom (though didn't collect as much data).

Here is the cgierror.log file and an strace of the bb-rep.cgi run from 4.3.0

Note:  I did just add a custom graph to this server and that line
appears suspiciously in the strace, but when I take it out I get the
same behavior.

Other info:

OS:  Ubuntu 9.04 (Jaunty), fully up to date

Any help appreciated.

Thanks,

--
Dewey



cgierror.log:

    *** buffer overflow detected ***: /home/hobbit/server/bin/bb-rep.cgi
    terminated
    ======= Backtrace: =========
    /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f8fda8]
    /lib/tls/i686/cmov/libc.so.6[0xb7f8deb0]
    /lib/tls/i686/cmov/libc.so.6[0xb7f8d5a8]
    /lib/tls/i686/cmov/libc.so.6(_IO_default_xsputn+0xc8)[0xb7effbb8]
    /lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0xf4c)[0xb7ed277c]
    /lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xa4)[0xb7f8d654]
    /lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb7f8d59d]
    /home/hobbit/server/bin/bb-rep.cgi[0x804a919]
    /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7ea8775]
    /home/hobbit/server/bin/bb-rep.cgi[0x8049bd1]
    ======= Memory map: ========
    08048000-08061000 r-xp 00000000 fc:00 75049     
    /home/hobbit/server/bin/bb-rep.cgi
    08061000-08062000 r--p 00018000 fc:00 75049     
    /home/hobbit/server/bin/bb-rep.cgi
    08062000-08063000 rw-p 00019000 fc:00 75049     
    /home/hobbit/server/bin/bb-rep.cgi
    086bf000-086e0000 rw-p 086bf000 00:00 0          [heap]
    b7e63000-b7e70000 r-xp 00000000 fc:00 43991      /lib/libgcc_s.so.1
    b7e70000-b7e71000 r--p 0000c000 fc:00 43991      /lib/libgcc_s.so.1
    b7e71000-b7e72000 rw-p 0000d000 fc:00 43991      /lib/libgcc_s.so.1
    b7e78000-b7e79000 rw-p b7e78000 00:00 0
    b7e79000-b7e8e000 r-xp 00000000 fc:00 44189     
    /lib/tls/i686/cmov/libpthread-2.9.so
    b7e8e000-b7e8f000 r--p 00014000 fc:00 44189     
    /lib/tls/i686/cmov/libpthread-2.9.so
    b7e8f000-b7e90000 rw-p 00015000 fc:00 44189     
    /lib/tls/i686/cmov/libpthread-2.9.so
    b7e90000-b7e92000 rw-p b7e90000 00:00 0
    b7e92000-b7fee000 r-xp 00000000 fc:00 44135     
    /lib/tls/i686/cmov/libc-2.9.so
    b7fee000-b7fef000 ---p 0015c000 fc:00 44135     
    /lib/tls/i686/cmov/libc-2.9.so
    b7fef000-b7ff1000 r--p 0015c000 fc:00 44135     
    /lib/tls/i686/cmov/libc-2.9.so
    b7ff1000-b7ff2000 rw-p 0015e000 fc:00 44135     
    /lib/tls/i686/cmov/libc-2.9.so
    b7ff2000-b7ff6000 rw-p b7ff2000 00:00 0
    b7ff6000-b7ffd000 r-xp 00000000 fc:00 44191     
    /lib/tls/i686/cmov/librt-2.9.so
    b7ffd000-b7ffe000 r--p 00006000 fc:00 44191     
    /lib/tls/i686/cmov/librt-2.9.so
    b7ffe000-b7fff000 rw-p 00007000 fc:00 44191     
    /lib/tls/i686/cmov/librt-2.9.so
    b7fff000-b802f000 r-xp 00000000 fc:00 44005      /lib/libpcre.so.3.12.1
    b802f000-b8030000 r--p 0002f000 fc:00 44005      /lib/libpcre.so.3.12.1
    b8030000-b8031000 rw-p 00030000 fc:00 44005      /lib/libpcre.so.3.12.1
    b8036000-b8039000 rw-p b8036000 00:00 0
    b8039000-b803a000 r-xp b8039000 00:00 0          [vdso]
    b803a000-b8056000 r-xp 00000000 fc:00 43920      /lib/ld-2.9.so
    b8056000-b8057000 r--p 0001b000 fc:00 43920      /lib/ld-2.9.so
    b8057000-b8058000 rw-p 0001c000 fc:00 43920      /lib/ld-2.9.so
    bf942000-bf957000 rw-p bffeb000 00:00 0          [stack]

strace of bb-rep.cgi process:

    execve("/home/hobbit/server/bin/bb-rep.cgi",
    ["/home/hobbit/server/bin/bb-rep.c"..., "--env=/home/hobbit/
    server/etc/ho"..., "--recentgifs", "--subpagecolumns=2"], [/* 28
    vars */]) = 0
    brk(0)                                  = 0x86bf000
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
    directory)
    mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
    -1, 0) = 0xb8037000
    access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
    directory)
    open("/etc/ld.so.cache", O_RDONLY)      = 3
    fstat64(3, {st_mode=S_IFREG|0644, st_size=22459, ...}) = 0
    mmap2(NULL, 22459, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb8031000
    close(3)                                = 0
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
    directory)
    open("/lib/libpcre.so.3", O_RDONLY)     = 3
    read(3,
    "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\17\0\0004\0\0\0\34"...,
    512) = 512
    fstat64(3, {st_mode=S_IFREG|0644, st_size=197892, ...}) = 0
    mmap2(NULL, 200788, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
    3, 0) = 0xb7fff000
    mmap2(0xb802f000, 8192, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2f) = 0xb802f000
    close(3)                                = 0
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
    directory)
    open("/lib/tls/i686/cmov/librt.so.1", O_RDONLY) = 3
    read(3,
    "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\30\0\0004\0\0\0\240"...,
    512) = 512
    fstat64(3, {st_mode=S_IFREG|0644, st_size=30624, ...}) = 0
    mmap2(NULL, 33364, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
    3, 0) = 0xb7ff6000
    mmap2(0xb7ffd000, 8192, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb7ffd000
    close(3)                                = 0
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
    directory)
    open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
    read(3,
    "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320h\1\0004\0\0\0\344"...,
    512) = 512
    fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
    -1, 0) = 0xb7ff5000
    mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
    3, 0) = 0xb7e92000
    mprotect(0xb7fee000, 4096, PROT_NONE)   = 0
    mmap2(0xb7fef000, 12288, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fef00
    0
    mmap2(0xb7ff2000, 9840, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ff2000
    close(3)                                = 0
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
    directory)
    open("/lib/tls/i686/cmov/libpthread.so.0", O_RDONLY) = 3
    read(3,
    "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000H\0\0004\0\0\0\330"...,
    512) = 512
    fstat64(3, {st_mode=S_IFREG|0755, st_size=116405, ...}) = 0
    mmap2(NULL, 98780, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
    3, 0) = 0xb7e79000
    mmap2(0xb7e8e000, 8192, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb7e8e000
    mmap2(0xb7e90000, 4572, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7e90000
    close(3)                                = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
    -1, 0) = 0xb7e78000
    set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e786c0,
    limit:1048575, seg_32bit:1, contents:0, read
    _exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
    open("/dev/urandom", O_RDONLY)          = 3
    read(3, "X\321\v\343"..., 4)            = 4
    close(3)                                = 0
    mprotect(0xb7e8e000, 4096, PROT_READ)   = 0
    mprotect(0xb7fef000, 8192, PROT_READ)   = 0
    mprotect(0xb7ffd000, 4096, PROT_READ)   = 0
    mprotect(0xb802f000, 4096, PROT_READ)   = 0
    mprotect(0x8061000, 4096, PROT_READ)    = 0
    mprotect(0xb8056000, 4096, PROT_READ)   = 0
    munmap(0xb8031000, 22459)               = 0
    set_tid_address(0xb7e78708)             = 2349
    set_robust_list(0xb7e78710, 0xc)        = 0
    futex(0xbf9549d0, FUTEX_WAKE_PRIVATE, 1) = 0
    rt_sigaction(SIGRTMIN, {0xb7e7d2e0, [], SA_SIGINFO}, NULL, 8) = 0
    rt_sigaction(SIGRT_1, {0xb7e7d720, [], SA_RESTART|SA_SIGINFO}, NULL,
    8) = 0
    rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
    getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024,
    rlim_max=RLIM_INFINITY}) = 0
    uname({sys="Linux", node="hobbit", ...}) = 0
    brk(0)                                  = 0x86bf000
    brk(0x86e0000)                          = 0x86e0000
    open("/home/hobbit/server/etc/hobbitserver.cfg",
    O_RDONLY|O_LARGEFILE) = 3
    fstat64(3, {st_mode=S_IFREG|0644, st_size=12194, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
    -1, 0) = 0xb8036000
    read(3, "# NB : Even though it might look "..., 4096) = 4096
    read(3, "er directory, where programs and "..., 4096) = 4096
    read(3, "is,maxuser,nparts,hdtemp=ncv\"\n\nNC"..., 4096) = 4002
    read(3, ""..., 4096)                    = 0
    close(3)                                = 0
    munmap(0xb8036000, 4096)                = 0
    close(2)                                = 0
    open("/var/log/xymon/cgierror.log",
    O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = 2
    fstat64(2, {st_mode=S_IFREG|0644, st_size=2707, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
    -1, 0) = 0xb8036000
    fstat64(2, {st_mode=S_IFREG|0644, st_size=2707, ...}) = 0
    _llseek(2, 2707, [2707], SEEK_SET)      = 0
    open("/etc/localtime", O_RDONLY)        = 3
    fstat64(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
    fstat64(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
    mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
    -1, 0) = 0xb8035000
    read(3,
    "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0"...,
    4096) = 3519
    _llseek(3, -24, [3495], SEEK_CUR)       = 0
    read(3, "\nEST5EDT,M3.2.0,M11.1.0\n"..., 4096) = 24
    close(3)                                = 0
    munmap(0xb8035000, 4096)                = 0
    stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
    time(NULL)                              = 1248441848
    time(NULL)                              = 1248441848
    time(NULL)                              = 1248441848
    mkdir("/home/hobbit/server/www/rep/2349-1248441848", 0755) = 0
    time(NULL)                              = 1248441848
    open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such
    device or address)
    writev(2, [{"*** "..., 4}, {"buffer overflow detected"..., 24}, {"
    ***: "..., 6}, {"/home/hobbit/server/b
    in/bb-rep.cg"..., 34}, {" terminated\n"..., 12}], 5) = 80
    open("/etc/ld.so.cache", O_RDONLY)      = 3
    fstat64(3, {st_mode=S_IFREG|0644, st_size=22459, ...}) = 0
    mmap2(NULL, 22459, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7e72000
    close(3)                                = 0
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
    directory)
    open("/lib/libgcc_s.so.1", O_RDONLY)    = 3
    read(3,
    "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\34\0\0004\0\0\0\234"...,
    512) = 512
    fstat64(3, {st_mode=S_IFREG|0644, st_size=54740, ...}) = 0
    mmap2(NULL, 57864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
    3, 0) = 0xb7e63000
    mmap2(0xb7e70000, 8192, PROT_READ|PROT_WRITE,
    MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc) = 0xb7e70000
    close(3)                                = 0
    mprotect(0xb7e70000, 4096, PROT_READ)   = 0
    munmap(0xb7e72000, 22459)               = 0
    futex(0xb7ff3a78, FUTEX_WAKE_PRIVATE, 2147483647) = 0
    futex(0xb7e710c8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
    write(2, "======= Backtrace: =========\n"..., 29) = 29
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
    {"__fortify_fail"..., 14}, {"+0x"..., 3}
    , {"48"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7f8fda8"..., 8},
    {"]\n"..., 2}], 9) = 62
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"[0x"..., 3},
    {"b7f8deb0"..., 8}, {"]\n"..., 2}], 4)
     = 41
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"[0x"..., 3},
    {"b7f8d5a8"..., 8}, {"]\n"..., 2}], 4)
     = 41
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
    {"_IO_default_xsputn"..., 18}, {"+0x"...
    , 3}, {"c8"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7effbb8"..., 8},
    {"]\n"..., 2}], 9) = 66
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
    {"_IO_vfprintf"..., 12}, {"+0x"..., 3},
    {"f4c"..., 3}, {")"..., 1}, {"[0x"..., 3}, {"b7ed277c"..., 8},
    {"]\n"..., 2}], 9) = 61
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
    {"__vsprintf_chk"..., 14}, {"+0x"..., 3}
    , {"a4"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7f8d654"..., 8},
    {"]\n"..., 2}], 9) = 62
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
    {"__sprintf_chk"..., 13}, {"+0x"..., 3},
     {"2d"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7f8d59d"..., 8},
    {"]\n"..., 2}], 9) = 61
    writev(2, [{"/home/hobbit/server/bin/bb-rep.cg"..., 34}, {"[0x"...,
    3}, {"804a919"..., 7}, {"]\n"..., 2}]
    , 4) = 46
    writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
    {"__libc_start_main"..., 17}, {"+0x"...,
     3}, {"e5"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7ea8775"..., 8},
    {"]\n"..., 2}], 9) = 65
    writev(2, [{"/home/hobbit/server/bin/bb-rep.cg"..., 34}, {"[0x"...,
    3}, {"8049bd1"..., 7}, {"]\n"..., 2}]
    , 4) = 46
    write(2, "======= Memory map: ========\n"..., 29) = 29
    open("/proc/self/maps", O_RDONLY)       = 3
    read(3, "08048000-08061000 r-xp 00000000 f"..., 1024) = 1024
    write(2, "08048000-08061000 r-xp 00000000 f"..., 1024) = 1024
    read(3, "f1000 r--p 0015c000 fc:00 44135  "..., 1024) = 994
    write(2, "f1000 r--p 0015c000 fc:00 44135  "..., 994) = 994
    read(3, ""..., 1024)                    = 0
    close(3)                                = 0
    rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
    tgkill(2349, 2349, SIGABRT)             = 0
    --- SIGABRT (Aborted) @ 0 (0) ---
    +++ killed by SIGABRT +++




More information about the Xymon mailing list