[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp

C. Bensend benny at bennyvision.com
Tue Oct 26 14:31:04 CEST 2010


Hey folks,

   Trying to run check_clamd (symlink to check_tcp) under a recent
release of OpenBSD -CURRENT has revealed a stack overflow in
check_tcp.  For those of you not familiar, OpenBSD has a number of
protections built in to limit exposure in the case of application
flaws, and it appears that it's squashing one in check_tcp:

kdump output:

...

 30184 check_tcp RET   socket 6
 30184 check_tcp CALL  fcntl(0x6,0x3,0)
 30184 check_tcp RET   fcntl 2
 30184 check_tcp CALL  fcntl(0x6,0x4,0x6)
 30184 check_tcp RET   fcntl 0
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  fcntl(0x6,0x2,0x1)
 30184 check_tcp RET   fcntl 0
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  connect(0x6,0xcfbe250e,0x6a)
 30184 check_tcp NAMI  "/dev/log"
 30184 check_tcp RET   connect 0
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  sendto(0x6,0xcfbe25f8,0x3a,0,0,0)
 30184 check_tcp GIO   fd 6 wrote 58 bytes
       "<10>check_clamd: stack overflow in function np_net_connect"
 30184 check_tcp RET   sendto 58/0x3a
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  fstat(0x6,0xcfbe312c)
 30184 check_tcp RET   fstat 0
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x2685a000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  close(0x6)
 30184 check_tcp RET   close 0
 30184 check_tcp CALL  sigaction(0x6,0xcfbe3250,0)
 30184 check_tcp RET   sigaction 0
 30184 check_tcp CALL  getpid()
 30184 check_tcp RET   getpid 30184/0x75e8
 30184 check_tcp CALL  sigprocmask(0x1,0xffffffff)
 30184 check_tcp RET   sigprocmask 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x3)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  mprotect(0x26057000,0x1000,0x1)
 30184 check_tcp RET   mprotect 0
 30184 check_tcp CALL  sigprocmask(0x3,0)
 30184 check_tcp RET   sigprocmask -65793/0xfffefeff
 30184 check_tcp CALL  kill(0x75e8,0x6)
 30184 check_tcp PSIG  SIGABRT SIG_DFL code 0
 30184 check_tcp NAMI  "check_tcp.core"


And backtrace from gdb:

(gdb) run
Starting program:  /tmp/clamd.socket
No executable file specified.
Use the "file" or "exec-file" command.
(gdb) file ./check_clamd
Reading symbols from
/home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd...done.
(gdb) run
Starting program:
/home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd
/tmp/clamd.socket

Program received signal SIGABRT, Aborted.
[Switching to process 4352, thread 0x85c7cc00]
0x0567cf4d in kill () from /usr/lib/libc.so.56.0
(gdb) bt
#0  0x0567cf4d in kill () from /usr/lib/libc.so.56.0
#1  0x056df3c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
    damaged=-809678242) at /usr/src/lib/libc/sys/stack_protector.c:89
#2  0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
    proto=29869) at netutils.c:267
#3  0x1c0025b9 in main (argc=1, argv=0xcfbd4bc0) at check_tcp.c:231

Now, I am rather shaky with my use of gdb, so if one of you
needs this information differently, please suggest the step-by-step
to use with gdb to get the information needed, and I'll gather it.

As a result of this, check_clamd/check_tcp is SIGABRTing every time
Nagios tries to test my ClamAV socket.  :(

Any help would be greatly appreciated!  I am more than open to
testing possible fixes for check_tcp.

Benny


-- 
"No matter how many shorts we have in the system, my guards will
be instructed to treat every surveillance camera malfunction as a
full-scale emergency."
                       -- Peter Anspach's Evil Overlord List, #67






More information about the Devel mailing list