buffer overflow in bb-rep.cgi
Dewey Sasser
dewey at sasser.com
Fri Jul 24 16:58:31 CEST 2009
I have 3 xymon installations, all 4.3.0 beta 2.
One of them cannot generate an availability report. I tried 4.2.3 and
got the same symptom (though didn't collect as much data).
Here is the cgierror.log file and an strace of the bb-rep.cgi run from 4.3.0
Note: I did just add a custom graph to this server and that line
appears suspiciously in the strace, but when I take it out I get the
same behavior.
Other info:
OS: Ubuntu 9.04 (Jaunty), fully up to date
Any help appreciated.
Thanks,
--
Dewey
cgierror.log:
*** buffer overflow detected ***: /home/hobbit/server/bin/bb-rep.cgi
terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0xb7f8fda8]
/lib/tls/i686/cmov/libc.so.6[0xb7f8deb0]
/lib/tls/i686/cmov/libc.so.6[0xb7f8d5a8]
/lib/tls/i686/cmov/libc.so.6(_IO_default_xsputn+0xc8)[0xb7effbb8]
/lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0xf4c)[0xb7ed277c]
/lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xa4)[0xb7f8d654]
/lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb7f8d59d]
/home/hobbit/server/bin/bb-rep.cgi[0x804a919]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5)[0xb7ea8775]
/home/hobbit/server/bin/bb-rep.cgi[0x8049bd1]
======= Memory map: ========
08048000-08061000 r-xp 00000000 fc:00 75049
/home/hobbit/server/bin/bb-rep.cgi
08061000-08062000 r--p 00018000 fc:00 75049
/home/hobbit/server/bin/bb-rep.cgi
08062000-08063000 rw-p 00019000 fc:00 75049
/home/hobbit/server/bin/bb-rep.cgi
086bf000-086e0000 rw-p 086bf000 00:00 0 [heap]
b7e63000-b7e70000 r-xp 00000000 fc:00 43991 /lib/libgcc_s.so.1
b7e70000-b7e71000 r--p 0000c000 fc:00 43991 /lib/libgcc_s.so.1
b7e71000-b7e72000 rw-p 0000d000 fc:00 43991 /lib/libgcc_s.so.1
b7e78000-b7e79000 rw-p b7e78000 00:00 0
b7e79000-b7e8e000 r-xp 00000000 fc:00 44189
/lib/tls/i686/cmov/libpthread-2.9.so
b7e8e000-b7e8f000 r--p 00014000 fc:00 44189
/lib/tls/i686/cmov/libpthread-2.9.so
b7e8f000-b7e90000 rw-p 00015000 fc:00 44189
/lib/tls/i686/cmov/libpthread-2.9.so
b7e90000-b7e92000 rw-p b7e90000 00:00 0
b7e92000-b7fee000 r-xp 00000000 fc:00 44135
/lib/tls/i686/cmov/libc-2.9.so
b7fee000-b7fef000 ---p 0015c000 fc:00 44135
/lib/tls/i686/cmov/libc-2.9.so
b7fef000-b7ff1000 r--p 0015c000 fc:00 44135
/lib/tls/i686/cmov/libc-2.9.so
b7ff1000-b7ff2000 rw-p 0015e000 fc:00 44135
/lib/tls/i686/cmov/libc-2.9.so
b7ff2000-b7ff6000 rw-p b7ff2000 00:00 0
b7ff6000-b7ffd000 r-xp 00000000 fc:00 44191
/lib/tls/i686/cmov/librt-2.9.so
b7ffd000-b7ffe000 r--p 00006000 fc:00 44191
/lib/tls/i686/cmov/librt-2.9.so
b7ffe000-b7fff000 rw-p 00007000 fc:00 44191
/lib/tls/i686/cmov/librt-2.9.so
b7fff000-b802f000 r-xp 00000000 fc:00 44005 /lib/libpcre.so.3.12.1
b802f000-b8030000 r--p 0002f000 fc:00 44005 /lib/libpcre.so.3.12.1
b8030000-b8031000 rw-p 00030000 fc:00 44005 /lib/libpcre.so.3.12.1
b8036000-b8039000 rw-p b8036000 00:00 0
b8039000-b803a000 r-xp b8039000 00:00 0 [vdso]
b803a000-b8056000 r-xp 00000000 fc:00 43920 /lib/ld-2.9.so
b8056000-b8057000 r--p 0001b000 fc:00 43920 /lib/ld-2.9.so
b8057000-b8058000 rw-p 0001c000 fc:00 43920 /lib/ld-2.9.so
bf942000-bf957000 rw-p bffeb000 00:00 0 [stack]
strace of bb-rep.cgi process:
execve("/home/hobbit/server/bin/bb-rep.cgi",
["/home/hobbit/server/bin/bb-rep.c"..., "--env=/home/hobbit/
server/etc/ho"..., "--recentgifs", "--subpagecolumns=2"], [/* 28
vars */]) = 0
brk(0) = 0x86bf000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb8037000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=22459, ...}) = 0
mmap2(NULL, 22459, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb8031000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/libpcre.so.3", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\17\0\0004\0\0\0\34"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=197892, ...}) = 0
mmap2(NULL, 200788, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7fff000
mmap2(0xb802f000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2f) = 0xb802f000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/tls/i686/cmov/librt.so.1", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\30\0\0004\0\0\0\240"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=30624, ...}) = 0
mmap2(NULL, 33364, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7ff6000
mmap2(0xb7ffd000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb7ffd000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320h\1\0004\0\0\0\344"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7ff5000
mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7e92000
mprotect(0xb7fee000, 4096, PROT_NONE) = 0
mmap2(0xb7fef000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fef00
0
mmap2(0xb7ff2000, 9840, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ff2000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/tls/i686/cmov/libpthread.so.0", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000H\0\0004\0\0\0\330"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=116405, ...}) = 0
mmap2(NULL, 98780, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7e79000
mmap2(0xb7e8e000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb7e8e000
mmap2(0xb7e90000, 4572, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7e90000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7e78000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e786c0,
limit:1048575, seg_32bit:1, contents:0, read
_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "X\321\v\343"..., 4) = 4
close(3) = 0
mprotect(0xb7e8e000, 4096, PROT_READ) = 0
mprotect(0xb7fef000, 8192, PROT_READ) = 0
mprotect(0xb7ffd000, 4096, PROT_READ) = 0
mprotect(0xb802f000, 4096, PROT_READ) = 0
mprotect(0x8061000, 4096, PROT_READ) = 0
mprotect(0xb8056000, 4096, PROT_READ) = 0
munmap(0xb8031000, 22459) = 0
set_tid_address(0xb7e78708) = 2349
set_robust_list(0xb7e78710, 0xc) = 0
futex(0xbf9549d0, FUTEX_WAKE_PRIVATE, 1) = 0
rt_sigaction(SIGRTMIN, {0xb7e7d2e0, [], SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0xb7e7d720, [], SA_RESTART|SA_SIGINFO}, NULL,
8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024,
rlim_max=RLIM_INFINITY}) = 0
uname({sys="Linux", node="hobbit", ...}) = 0
brk(0) = 0x86bf000
brk(0x86e0000) = 0x86e0000
open("/home/hobbit/server/etc/hobbitserver.cfg",
O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=12194, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb8036000
read(3, "# NB : Even though it might look "..., 4096) = 4096
read(3, "er directory, where programs and "..., 4096) = 4096
read(3, "is,maxuser,nparts,hdtemp=ncv\"\n\nNC"..., 4096) = 4002
read(3, ""..., 4096) = 0
close(3) = 0
munmap(0xb8036000, 4096) = 0
close(2) = 0
open("/var/log/xymon/cgierror.log",
O_WRONLY|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = 2
fstat64(2, {st_mode=S_IFREG|0644, st_size=2707, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb8036000
fstat64(2, {st_mode=S_IFREG|0644, st_size=2707, ...}) = 0
_llseek(2, 2707, [2707], SEEK_SET) = 0
open("/etc/localtime", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb8035000
read(3,
"TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0\0"...,
4096) = 3519
_llseek(3, -24, [3495], SEEK_CUR) = 0
read(3, "\nEST5EDT,M3.2.0,M11.1.0\n"..., 4096) = 24
close(3) = 0
munmap(0xb8035000, 4096) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=3519, ...}) = 0
time(NULL) = 1248441848
time(NULL) = 1248441848
time(NULL) = 1248441848
mkdir("/home/hobbit/server/www/rep/2349-1248441848", 0755) = 0
time(NULL) = 1248441848
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such
device or address)
writev(2, [{"*** "..., 4}, {"buffer overflow detected"..., 24}, {"
***: "..., 6}, {"/home/hobbit/server/b
in/bb-rep.cg"..., 34}, {" terminated\n"..., 12}], 5) = 80
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=22459, ...}) = 0
mmap2(NULL, 22459, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7e72000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/libgcc_s.so.1", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260\34\0\0004\0\0\0\234"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=54740, ...}) = 0
mmap2(NULL, 57864, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xb7e63000
mmap2(0xb7e70000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc) = 0xb7e70000
close(3) = 0
mprotect(0xb7e70000, 4096, PROT_READ) = 0
munmap(0xb7e72000, 22459) = 0
futex(0xb7ff3a78, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0xb7e710c8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
write(2, "======= Backtrace: =========\n"..., 29) = 29
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
{"__fortify_fail"..., 14}, {"+0x"..., 3}
, {"48"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7f8fda8"..., 8},
{"]\n"..., 2}], 9) = 62
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"[0x"..., 3},
{"b7f8deb0"..., 8}, {"]\n"..., 2}], 4)
= 41
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"[0x"..., 3},
{"b7f8d5a8"..., 8}, {"]\n"..., 2}], 4)
= 41
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
{"_IO_default_xsputn"..., 18}, {"+0x"...
, 3}, {"c8"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7effbb8"..., 8},
{"]\n"..., 2}], 9) = 66
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
{"_IO_vfprintf"..., 12}, {"+0x"..., 3},
{"f4c"..., 3}, {")"..., 1}, {"[0x"..., 3}, {"b7ed277c"..., 8},
{"]\n"..., 2}], 9) = 61
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
{"__vsprintf_chk"..., 14}, {"+0x"..., 3}
, {"a4"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7f8d654"..., 8},
{"]\n"..., 2}], 9) = 62
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
{"__sprintf_chk"..., 13}, {"+0x"..., 3},
{"2d"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7f8d59d"..., 8},
{"]\n"..., 2}], 9) = 61
writev(2, [{"/home/hobbit/server/bin/bb-rep.cg"..., 34}, {"[0x"...,
3}, {"804a919"..., 7}, {"]\n"..., 2}]
, 4) = 46
writev(2, [{"/lib/tls/i686/cmov/libc.so.6"..., 28}, {"("..., 1},
{"__libc_start_main"..., 17}, {"+0x"...,
3}, {"e5"..., 2}, {")"..., 1}, {"[0x"..., 3}, {"b7ea8775"..., 8},
{"]\n"..., 2}], 9) = 65
writev(2, [{"/home/hobbit/server/bin/bb-rep.cg"..., 34}, {"[0x"...,
3}, {"8049bd1"..., 7}, {"]\n"..., 2}]
, 4) = 46
write(2, "======= Memory map: ========\n"..., 29) = 29
open("/proc/self/maps", O_RDONLY) = 3
read(3, "08048000-08061000 r-xp 00000000 f"..., 1024) = 1024
write(2, "08048000-08061000 r-xp 00000000 f"..., 1024) = 1024
read(3, "f1000 r--p 0015c000 fc:00 44135 "..., 1024) = 994
write(2, "f1000 r--p 0015c000 fc:00 44135 "..., 994) = 994
read(3, ""..., 1024) = 0
close(3) = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(2349, 2349, SIGABRT) = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++
More information about the Xymon
mailing list