[Bug 19899] New: -D_FORTIFY_SOURCE=2 detects overflow in RPCRT4_BuildBindAckHeader
wine-bugs at winehq.org
wine-bugs at winehq.org
Mon Aug 31 18:11:15 CDT 2009
http://bugs.winehq.org/show_bug.cgi?id=19899
Summary: -D_FORTIFY_SOURCE=2 detects overflow in
RPCRT4_BuildBindAckHeader
Product: Wine
Version: unspecified
Platform: PC
OS/Version: Linux
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: rpc
AssignedTo: wine-bugs at winehq.org
ReportedBy: pp at ee.oulu.fi
Running winecfg (1.1.28) compiled with the standard Fedora buffer overflow
detection stuff causes the following:
[pp at laptop ~]$ winecfg
*** buffer overflow detected ***: C:\windows\system32\services.exe terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x4d)[0x6827196d]
/lib/libc.so.6(+0x5ed9fa)[0x6826f9fa]
/lib/libc.so.6(__strcpy_chk+0x44)[0x6826ecd4]
/usr/bin/../lib/wine/rpcrt4.dll.so(RPCRT4_BuildBindAckHeader+0xfe)[0x685cf01e]
/usr/bin/../lib/wine/rpcrt4.dll.so(+0x4bb48)[0x685d2b48]
/usr/bin/../lib/wine/ntdll.dll.so(+0x7749f)[0x6837249f]
/usr/bin/../lib/wine/ntdll.dll.so(+0x6ac84)[0x68365c84]
/usr/bin/../lib/wine/ntdll.dll.so(call_thread_entry_point+0x71)[0x68365e71]
/usr/bin/../lib/wine/ntdll.dll.so(+0x73586)[0x6836e586]
/lib/libpthread.so.0(+0x7e19d5)[0x681649d5]
/lib/libc.so.6(clone+0x5e)[0x682581de]
======= Memory map: ========
00010000-00110000 ---p 00000000 00:00 0
00110000-00120000 rw-p 00000000 00:00 0
00120000-00220000 ---p 00000000 00:00 0
00220000-00223000 rw-p 00000000 00:00 0
00223000-00224000 ---p 00000000 00:00 0
00224000-00230000 ---p 00000000 00:00 0
00230000-00232000 rw-p 00000000 00:00 0
00232000-00240000 ---p 00000000 00:00 0
00240000-00242000 ---p 00000000 00:00 0
00242000-00340000 rw-p 00000000 00:00 0
00340000-00390000 rwxp 00000000 00:00 0
00390000-00450000 ---p 00000000 00:00 0
00450000-00452000 ---p 00000000 00:00 0
00452000-00550000 rw-p 00000000 00:00 0
00550000-00552000 ---p 00000000 00:00 0
00552000-00650000 rw-p 00000000 00:00 0
00650000-00652000 ---p 00000000 00:00 0
00652000-00750000 rw-p 00000000 00:00 0
00750000-20000000 ---p 00000000 00:00 0
20000000-2002a000 r-xp 00000000 fd:00 11574
/lib/libgcc_s-4.4.1-20090818.so.1
2002a000-2002b000 rw-p 00029000 fd:00 11574
/lib/libgcc_s-4.4.1-20090818.so.1
68000000-68020000 r-xp 00000000 fd:00 13167
/lib/ld-2.10.90.so
68020000-68021000 r--p 0001f000 fd:00 13167
/lib/ld-2.10.90.so
68021000-68022000 rw-p 00020000 fd:00 13167
/lib/ld-2.10.90.so
68022000-6814a000 r-xp 00000000 fd:00 25397
/usr/lib/libwine.so.1.0
6814a000-6814c000 rw-p 00127000 fd:00 25397
/usr/lib/libwine.so.1.0
6814c000-6815f000 rw-p 00000000 00:00 0
6815f000-68176000 r-xp 00000000 fd:00 72602
/lib/libpthread-2.10.90.so
68176000-68177000 r--p 00016000 fd:00 72602
/lib/libpthread-2.10.90.so
68177000-68178000 rw-p 00017000 fd:00 72602
/lib/libpthread-2.10.90.so
68178000-6817a000 rw-p 00000000 00:00 0
6817a000-682f0000 r-xp 00000000 fd:00 51008
/lib/libc-2.10.90.so
682f0000-682f2000 r--p 00176000 fd:00 51008
/lib/libc-2.10.90.so
682f2000-682f3000 rw-p 00178000 fd:00 51008
/lib/libc-2.10.90.so
682f3000-682f6000 rw-p 00000000 00:00 0
682f6000-682f9000 r-xp 00000000 fd:00 73566
/lib/libdl-2.10.90.so
682f9000-682fa000 r--p 00002000 fd:00 73566
/lib/libdl-2.10.90.so
682fa000-682fb000 rw-p 00003000 fd:00 73566
/lib/libdl-2.10.90.so
682fb000-68310000 r-xp 00000000 fd:00 399446
/usr/lib/wine/ntdll.dll.so
68310000-68311000 rw-p 00000000 00:00 0
68311000-6839c000 r-xp 00016000 fd:00 399446
/usr/lib/wine/ntdll.dll.so
6839c000-683a6000 rw-p 000a1000 fd:00 399446
/usr/lib/wine/ntdll.dll.so
683a6000-683b8000 rw-p 00000000 00:00 0
683b8000-683e0000 r-xp 00000000 fd:00 54413
/lib/libm-2.10.90.so
683e0000-683e1000 r--p 00027000 fd:00 54413
/lib/libm-2.10.90.so
683e1000-683e2000 rw-p 00028000 fd:00 54413
/lib/libm-2.10.90.so
683e2000-68400000 r-xp 00000000 fd:00 399090
/usr/lib/wine/kernel32.dll.so
68400000-68401000 rw-p 00000000 00:00 0
68401000-684ad000 r-xp 0001f000 fd:00 399090
/usr/lib/wine/kernel32.dll.so
684ad000-684b5000 rw-p 000ca000 fd:00 399090
/usr/lib/wine/kernel32.dll.so
684b5000-684b6000 rwxp 000d2000 fd:00 399090
/usr/lib/wine/kernel32.dll.so
684b6000-68561000 rw-p 000d3000 fd:00 399090
/usr/lib/wine/kernel32.dll.so
68561000-68563000 rw-p 00000000 00:00 0
68563000-68570000 r-xp 00000000 fd:00 399211
/usr/lib/wine/services.exe.so
68570000-68571000 rw-p 00000000 00:00 0
68571000-68586000 r-xp 0000e000 fd:00 399211
/usr/lib/wine/services.exe.so
68586000-68587000 rwxp 00023000 fd:00 399211
/usr/lib/wine/services.exe.so
68587000-68590000 r-xp 00000000 fd:00 399199
/usr/lib/wine/rpcrt4.dll.so
68590000-68591000 rw-p 00000000 00:00 0
68591000-685f3000 r-xp 0000a000 fd:00 399199
/usr/lib/wine/rpcrt4.dll.so
685f3000-685f8000 rw-p 0006b000 fd:00 399199
/usr/lib/wine/rpcrt4.dll.so
685f8000-685f9000 rwxp 00070000 fd:00 399199
/usr/lib/wine/rpcrt4.dll.so
685f9000-685fa000 rw-p 00071000 fd:00 399199
/usr/lib/wine/rpcrt4.dll.so
685fa000-68610000 r-xp 00000000 fd:00 398960
/usr/lib/wine/advapi32.dll.so
68610000-68611000 rw-p 00000000 00:00 0
68611000-68651000 r-xp 00017000 fd:00 398960
/usr/lib/wine/advapi32.dll.so
68651000-68655000 rw-p 00056000 fd:00 398960
/usr/lib/wine/advapi32.dll.so
68655000-68656000 rwxp 0005a000 fd:00 398960
/usr/lib/wine/advapi32.dll.so
68656000-68657000 rw-p 0005b000 fd:00 398960
/usr/lib/wine/advapi32.dll.so
75997000-759a2000 r-xp 00000000 fd:00 72597
/lib/libnss_files-2.10.90.so
759a2000-759a3000 r--p 0000a000 fd:00 72597
/lib/libnss_files-2.10.90.so
759a3000-759a4000 rw-p 0000b000 fd:00 72597
/lib/libnss_files-2.10.90.so
7bf00000-7bf02000 r-xp 00000000 fd:00 16106
/usr/bin/wine32
7bf02000-7bf03000 rw-p 00001000 fd:00 16106
/usr/bin/wine32
7c000000-7c002000 r-xp 00001000 fd:00 83135
/usr/bin/wine-preloader
7c002000-7c003000 rw-p 00003000 fd:00 83135
/usr/bin/wine-preloader
7d75f000-7d780000 rw-p 00000000 00:00 0 [heap]
7ea00000-7ea21000 rw-p 00000000 00:00 0
7ea21000-7eb00000 ---p 00000000 00:00 0
7eb00000-7eb21000 rw-p 00000000 00:00 0
7eb21000-7ec00000 ---p 00000000 00:00 0
7ec00000-7ec21000 rw-p 00000000 00:00 0
7ec21000-7ed00000 ---p 00000000 00:00 0
7edf9000-7ee00000 r--s 00000000 fd:00 262722
/usr/lib/gconv/gconv-modules.cache
7ee00000-7f000000 r--p 00000000 fd:00 72611
/usr/lib/locale/locale-archive
7f000000-7ffcc000 ---p 00000000 00:00 0
7ffcc000-7ffdc000 rw-p 00000000 00:00 0
7ffdc000-7ffdf000 ---p 00000000 00:00 0
7ffdf000-7fff0000 rw-p 00000000 00:00 0
7fff0000-7ffff000 ---p 00000000 00:00 0
7ffff000-80000000 r-xp 00000000 00:00 0
80000000-f7f60000 ---p 00000000 00:00 0
f7f64000-f7f66000 rw-p 00000000 00:00 0
f7f70000-f7f80000 ---p 00000000 00:00 0
f7f85000-f7f86000 rw-p 00000000 00:00 0
f7f90000-ff890000 ---p 00000000 00:00 0
ff890000-ffc90000 rw-p 00000000 00:00 0
ffc98000-ffcad000 rw-p 00000000 00:00 0
[stack]
ffcb0000-ffff0000 ---p 00000000 00:00 0
Probably an off-by-one in the header size calculation that gets triggered by
the strcpy, the code is probably best looked at by someone who knows the stuff
:)
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
Do not reply to this email, post in Bugzilla using the
above URL to reply.
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the wine-bugs
mailing list