Re: ibus/CVE-2019-14822/glibc
Without the patch:
(jessie-amd64-sbuild)brian@silverfish:/build/glib2.0-0E5btb/glib2.0-2.42.1$ /build/glib2.0-0E5btb/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor -k --tap
# random seed: R02Sd9f3f21d68a58e8c21843edb3e297722
# Start of network-monitor tests
ok 1 /network-monitor/default
ok 2 /network-monitor/remove_default
ok 3 /network-monitor/add_networks
ok 4 /network-monitor/remove_networks
# End of network-monitor tests
1..4
With the 2nd patch, hangs, I pushed Ctrl-C to abort:
(jessie-amd64-sbuild)brian@silverfish:/$ /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor -k --tap
# random seed: R02Sfd80eb1bd64b09d0b63ad8bcdfd117d2
# Start of network-monitor tests
^C
With strace:
[...]
socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_ROUTE) = 4
bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000440}, 12) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
rt_sigaction(SIGPIPE, {SIG_IGN, [PIPE], SA_RESTORER|SA_RESTART, 0x7fe1368420e0}, {SIG_DFL, [], 0}, 8) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
getsockopt(4, SOL_SOCKET, SO_TYPE, [3], [4]) = 0
getsockname(4, {sa_family=AF_NETLINK, pid=29141, groups=00000440}, [12]) = 0
getsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [0], [4]) = 0
fcntl(4, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
setsockopt(4, SOL_SOCKET, SO_PASSCRED, [1], 4) = 0
poll([{fd=4, events=POLLOUT}], 1, 4294967295) = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\21\0\0\0\32\0\1\3\0\0\0\0\0\0\0\0\0\0\0\0", 20, MSG_NOSIGNAL, NULL, 0) = 20
poll([{fd=4, events=POLLIN}], 1, 4294967295) = 1 ([{fd=4, revents=POLLIN}])
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{NULL, 0}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS{pid=0, uid=0, gid=0}}, msg_flags=MSG_TRUNC|MSG_CMSG_CLOEXEC}, MSG_PEEK|MSG_TRUNC|MSG_CMSG_CLOEXEC) = 848
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
geteuid() = 1000
getegid() = 1000
futex(0x7fe136ec6568, FUTEX_WAKE, 2147483647) = 0
poll([{fd=4, events=POLLIN}], 1, 4294967295) = 1 ([{fd=4, revents=POLLIN}])
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"<\0\0\0\30\0\2\0\0\0\0\0\325q\0\0\2\0\0\0\376\20\0\1\0\0\0\0\10\0\17\0"..., 848}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS{pid=0, uid=0, gid=0}}, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 848
geteuid() = 1000
getegid() = 1000
poll([{fd=4, events=POLLIN}], 1, 4294967295) = 1 ([{fd=4, revents=POLLIN}])
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{NULL, 0}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS{pid=0, uid=0, gid=0}}, msg_flags=MSG_TRUNC|MSG_CMSG_CLOEXEC}, MSG_PEEK|MSG_TRUNC|MSG_CMSG_CLOEXEC) = 928
geteuid() = 1000
getegid() = 1000
poll([{fd=4, events=POLLIN}], 1, 4294967295) = 1 ([{fd=4, revents=POLLIN}])
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"t\0\0\0\30\0\2\0\0\0\0\0\325q\0\0\n\200\0\0\376\2\0\1\0\0\0\0\10\0\17\0"..., 928}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS{pid=0, uid=0, gid=0}}, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 928
geteuid() = 1000
getegid() = 1000
poll([{fd=4, events=POLLIN}], 1, 4294967295) = 1 ([{fd=4, revents=POLLIN}])
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{NULL, 0}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS{pid=0, uid=0, gid=0}}, msg_flags=MSG_TRUNC|MSG_CMSG_CLOEXEC}, MSG_PEEK|MSG_TRUNC|MSG_CMSG_CLOEXEC) = 20
geteuid() = 1000
getegid() = 1000
poll([{fd=4, events=POLLIN}], 1, 4294967295) = 1 ([{fd=4, revents=POLLIN}])
recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\0\0\0\0\325q\0\0\0\0\0\0", 20}], msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, cmsg_type=SCM_CREDENTIALS{pid=0, uid=0, gid=0}}, msg_flags=MSG_CMSG_CLOEXEC}, MSG_CMSG_CLOEXEC) = 20
geteuid() = 1000
getegid() = 1000
poll([{fd=4, events=POLLIN}], 1, 4294967295
[Hangs here]
I am not 100% sure of the protocol here but I suspect the server is
asking for authentication and the client is not providing it, and
eventually the server stops talking.
gdb session (note I had to override the shell because the default is zsh
which didn't exist on my chroot, which caused problems for gdb):
(jessie-amd64-sbuild)brian@silverfish:/build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb$ SHELL=/bin/sh gdb /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor...done.
(gdb) r
Starting program: /build/glib2.0-sBwZ3c/glib2.0-2.42.1/debian/build/deb/gio/tests/.libs/lt-network-monitor
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
/network-monitor/default: ^C
Program received signal SIGINT, Interrupt.
0x00007ffff7030ad0 in __poll_nocancel () at ../sysdeps/unix/syscall-template.S:81
81 ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0 0x00007ffff7030ad0 in __poll_nocancel () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007ffff7ad6f05 in g_socket_condition_timed_wait (socket=<optimized out>, condition=<optimized out>, timeout=<optimized out>, cancellable=0x0, error=0x7fffffffe5c8)
at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gsocket.c:3655
#2 0x00007ffff7ad7d84 in g_socket_receive_message (socket=0x61d130, address=address@entry=0x0, vectors=<optimized out>, vectors@entry=0x7fffffffe5d0, num_vectors=<optimized out>, num_vectors@entry=1,
messages=messages@entry=0x0, num_messages=num_messages@entry=0x0, flags=0x7fffffffe5bc, cancellable=0x0, error=0x7fffffffe5c8) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gsocket.c:4231
#3 0x00007ffff7b03c15 in read_netlink_messages (socket=socket@entry=0x0, condition=condition@entry=G_IO_IN, user_data=user_data@entry=0x6129e0)
at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gnetworkmonitornetlink.c:312
#4 0x00007ffff7b045af in g_network_monitor_netlink_initable_init (initable=0x6129e0, cancellable=<optimized out>, error=0x0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/gnetworkmonitornetlink.c:141
#5 0x00007ffff7abe2ca in g_initable_new_valist (object_type=<optimized out>, first_property_name=0x0, var_args=0x7fffffffe6b0, cancellable=0x0, error=0x0)
at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/ginitable.c:228
#6 0x00007ffff7abe3b6 in g_initable_new (object_type=<optimized out>, cancellable=cancellable@entry=0x0, error=error@entry=0x0, first_property_name=first_property_name@entry=0x0)
at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/ginitable.c:146
#7 0x00007ffff7ac14a6 in try_implementation (extension=<optimized out>, verify_func=verify_func@entry=0x0) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/giomodule.c:755
#8 0x00007ffff7ac1620 in _g_io_module_get_default (extension_point=0x7ffff7b69e9f "gio-network-monitor", envvar=0x7ffff7b6b945 "GIO_USE_NETWORK_MONITOR", verify_func=0x0)
at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/giomodule.c:857
#9 0x0000000000402482 in test_default () at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/tests/network-monitor.c:241
#10 0x00007ffff736b3d3 in test_case_run (tc=0x614990) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2059
#11 g_test_run_suite_internal (suite=suite@entry=0x611240, path=path@entry=0x7ffff73c5f5e "") at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2120
#12 0x00007ffff736b5a2 in g_test_run_suite_internal (suite=suite@entry=0x611220, path=<optimized out>, path@entry=0x7ffff73c5f5e "") at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2131
#13 0x00007ffff736b90b in g_test_run_suite (suite=0x611220) at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:2184
#14 0x00007ffff736b941 in g_test_run () at /build/glib2.0-sBwZ3c/glib2.0-2.42.1/./glib/gtestutils.c:1488
#15 0x0000000000401461 in main (argc=1, argv=0x7fffffffeb68) at
#/build/glib2.0-sBwZ3c/glib2.0-2.42.1/./gio/tests/network-monitor.c:536
--
Brian May <bam@debian.org>
Reply to: