[Nagiosplug-devel] Stack overflow in check_clamd/check_tcp
C. Bensend
benny at bennyvision.com
Tue Oct 26 14:31:04 CEST 2010
Hey folks,
Trying to run check_clamd (symlink to check_tcp) under a recent
release of OpenBSD -CURRENT has revealed a stack overflow in
check_tcp. For those of you not familiar, OpenBSD has a number of
protections built in to limit exposure in the case of application
flaws, and it appears that it's squashing one in check_tcp:
kdump output:
...
30184 check_tcp RET socket 6
30184 check_tcp CALL fcntl(0x6,0x3,0)
30184 check_tcp RET fcntl 2
30184 check_tcp CALL fcntl(0x6,0x4,0x6)
30184 check_tcp RET fcntl 0
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL fcntl(0x6,0x2,0x1)
30184 check_tcp RET fcntl 0
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL connect(0x6,0xcfbe250e,0x6a)
30184 check_tcp NAMI "/dev/log"
30184 check_tcp RET connect 0
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL sendto(0x6,0xcfbe25f8,0x3a,0,0,0)
30184 check_tcp GIO fd 6 wrote 58 bytes
"<10>check_clamd: stack overflow in function np_net_connect"
30184 check_tcp RET sendto 58/0x3a
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL fstat(0x6,0xcfbe312c)
30184 check_tcp RET fstat 0
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x2685a000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL close(0x6)
30184 check_tcp RET close 0
30184 check_tcp CALL sigaction(0x6,0xcfbe3250,0)
30184 check_tcp RET sigaction 0
30184 check_tcp CALL getpid()
30184 check_tcp RET getpid 30184/0x75e8
30184 check_tcp CALL sigprocmask(0x1,0xffffffff)
30184 check_tcp RET sigprocmask 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x3)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL mprotect(0x26057000,0x1000,0x1)
30184 check_tcp RET mprotect 0
30184 check_tcp CALL sigprocmask(0x3,0)
30184 check_tcp RET sigprocmask -65793/0xfffefeff
30184 check_tcp CALL kill(0x75e8,0x6)
30184 check_tcp PSIG SIGABRT SIG_DFL code 0
30184 check_tcp NAMI "check_tcp.core"
And backtrace from gdb:
(gdb) run
Starting program: /tmp/clamd.socket
No executable file specified.
Use the "file" or "exec-file" command.
(gdb) file ./check_clamd
Reading symbols from
/home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd...done.
(gdb) run
Starting program:
/home/benny/temp/nagios-plugins-1.4.15/plugins/check_clamd
/tmp/clamd.socket
Program received signal SIGABRT, Aborted.
[Switching to process 4352, thread 0x85c7cc00]
0x0567cf4d in kill () from /usr/lib/libc.so.56.0
(gdb) bt
#0 0x0567cf4d in kill () from /usr/lib/libc.so.56.0
#1 0x056df3c3 in __stack_smash_handler (func=0x3c0012ec "np_net_connect",
damaged=-809678242) at /usr/src/lib/libc/sys/stack_protector.c:89
#2 0x1c003a5d in np_net_connect (host_name=0x0, port=3310, sd=0x3c002064,
proto=29869) at netutils.c:267
#3 0x1c0025b9 in main (argc=1, argv=0xcfbd4bc0) at check_tcp.c:231
Now, I am rather shaky with my use of gdb, so if one of you
needs this information differently, please suggest the step-by-step
to use with gdb to get the information needed, and I'll gather it.
As a result of this, check_clamd/check_tcp is SIGABRTing every time
Nagios tries to test my ClamAV socket. :(
Any help would be greatly appreciated! I am more than open to
testing possible fixes for check_tcp.
Benny
--
"No matter how many shorts we have in the system, my guards will
be instructed to treat every surveillance camera malfunction as a
full-scale emergency."
-- Peter Anspach's Evil Overlord List, #67
More information about the Devel
mailing list