Bug#985812: libax25: long serial device symlinks break kissattach (in libax25)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#985812: libax25: long serial device symlinks break kissattach (in libax25)
From: Philip J Freeman <elektron@halo.nu>
Date: Tue, 23 Mar 2021 23:01:15 -0700
Message-id: <[🔎] 161656567552.25770.9114901575878949396.reportbug@x200>
Reply-to: Philip J Freeman <elektron@halo.nu>, 985812@bugs.debian.org

Package: libax25
Version: 0.0.12-rc5+git20190411+b17ff36-3.1
Severity: important
Tags: patch

Dear Maintainer,

I ran into a problem with kissattach, but the buffer overflow was
actually happening in libax25:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x76e69230 in __GI_abort () at abort.c:79
#2  0x76eb951c in __libc_message (action=<optimized out>, fmt=<optimized out>)
 at ../sysdeps/posix/libc_fatal.c:181
#3  0x76f3b6fc in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true,
 msg=0x76f824d8 "buffer overflow detected") at fortify_fail.c:28
#4  0x76f3b748 in __GI___fortify_fail (msg=<optimized out>) at fortify_fail.c:44
#5  0x76f395c8 in __GI___chk_fail () at chk_fail.c:28
#6  0x76f38a60 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
#7  0x76ebdd04 in __GI__IO_default_xsputn (n=<optimized out>, data=<optimized out>, f=<optimized out>)
 at libioP.h:839
#8  __GI__IO_default_xsputn (f=0x7efff400, data=<optimized out>, n=55) at genops.c:370
#9  0x76e93800 in _IO_vfprintf_internal (s=s@entry=0x7efff400, format=format@entry=0x76fa7180
+"%s/LCK..%s",
 ap=..., ap@entry=...) at ../libio/libioP.h:839
#10 0x76f38b00 in ___vsprintf_chk (s=s@entry=0x7efff500
+"/var/lock/LCK..usb-Coastal_ChipWorks_TNC-X_by_W2F",
 flags=flags@entry=1, slen=slen@entry=50, format=0x76fa7180 "%s/LCK..%s",
 format@entry=0xf571100 <error: Cannot access memory at address 0xf571100>, args=..., args@entry=...)
 at vsprintf_chk.c:83
#11 0x76f38a2c in ___sprintf_chk (s=s@entry=0x7efff500
+"/var/lock/LCK..usb-Coastal_ChipWorks_TNC-X_by_W2F",
 flags=flags@entry=1, slen=slen@entry=50, format=0x76fa7180 "%s/LCK..%s") at sprintf_chk.c:31
#12 0x76fa672c in sprintf (__fmt=0x76fa7180 "%s/LCK..%s",
 __s=0x7efff500 "/var/lock/LCK..usb-Coastal_ChipWorks_TNC-X_by_W2F")
 at /usr/include/arm-linux-gnueabihf/bits/stdio2.h:36
#13 tty_is_locked (
 tty=tty@entry=0x7efff882 "/dev/serial/by-id/usb-Coastal_ChipWorks_TNC-X_by_W2FS_FT3PPKKT-if00-port0")
 at ttyutils.c:112
#14 0x000112b8 in main (argc=3, argv=<optimized out>) at kissattach.c:294

ran into it in raspbian, debian buster, and in the latest package in testing...
Upstream has fixed it here: http://git.linux-ax25.org/cgit/libax25.git/patch/?id=f7e4a620aaa061bca62c2cef7dd508157e482c68

I added the patch locally and tested the fix here, and it seems to work.

-- System Information:
Debian Release: 10.8
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-14-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libax25 depends on:
ii  libc6   2.28-10
ii  zlib1g  1:1.2.11.dfsg-1

libax25 recommends no packages.

libax25 suggests no packages.

-- Configuration Files:
/etc/ax25/axports changed:
1	K6FSM-5		1200	255	2	2m radio


-- no debconf information

Reply to:

Follow-Ups:
- Bug#985812: this was also found in other package versions
  - From: Phil <elektron@halo.nu>

Prev by Date: chirp_20200227+py3+20200213-4_source.changes REJECTED
Next by Date: Bug#985812: this was also found in other package versions
Previous by thread: chirp_20200227+py3+20200213-4_source.changes REJECTED
Next by thread: Bug#985812: this was also found in other package versions
Index(es):
- Date
- Thread