Buffer Overflow in rot2() function in Sport.c

[Berrescuda]

Currently there's a bug in the sport.c code that doesn't allow it to run without causing a seg fault. A buffer variable is declared that's one element too short at the top of rot2(). I'll fix this and push the code to the git.

[acencini]

i'm confused by this - so you have

char command[13];

then later sprintf to it:

sprintf(command, "W%04d%c%04d%c%c ", (int) az + 360, 1, (int) el + 360, 1, cmd);

is the line above the source of the segfault?

i am a little rusty on the code and best practices here but one thing that might be safer here if we're dealing with potentially odd data coming in would be to replace sprintf with snprintf to ensure the command buffer and resulting string are of the same length. probably not a bad idea to consider this anyway though it might be overkill (unless it does pose a potential security vulnerability). a hoky stackoverflow discussion is here (first link on google for sprintf vs snprintf)

http://stackoverflow.com/questions/7315936/which-of-sprintf-snprintf-is-more-secure

On Tue, Mar 18, 2014 at 6:09 PM, Kgespada notifications@github.com wrote:

Currently there's a bug in the sport.c code that doesn't allow it to run without causing a seg fault. A buffer variable is declared that's one element too short at the top of rot2(). I'll fix this and push the code to the git.

Reply to this email directly or view it on GitHubhttps://github.com/BenningtonCS/Telescope-2014/issues/55 .

[edaniszewski]

We found that the buffer overflow actually occurs in plot.c, in a sprintf call, around line 309. The error comes about on the second pass through the for loop and it seems that there is something funny with the math going on. @Kgespada and @vpascow will meet again on Monday to try and resolve the issue. Later today or tomorrow, I will try and post additional details on our findings.

[acencini]

nice

since you are all in OS, once you figure this out, you might want to see if you can smash the stack and put a different return address into memory such that the program does something evil (since you're running as root)

http://www.phearless.org/istorija/razno/buffer-overflow-example.txt

i say this from the os-class perspective, not the telescope class perspective (so, in other words, figure out the srtn issues before bothering with this little diversion)

On Fri, Mar 21, 2014 at 7:02 PM, Erick Daniszewski <notifications@github.com

wrote:

We found that the buffer overflow actually occurs in plot.c, in a sprintf call, around line 309. The error comes about on the second pass through the for loop and it seems that there is something funny with the math going on. @Kgespada https://github.com/Kgespada and @vpascowhttps://github.com/vpascowwill meet again on Monday to try and resolve the issue. Later today or tomorrow, I will try and post additional details on our findings.

Reply to this email directly or view it on GitHubhttps://github.com/BenningtonCS/Telescope-2014/issues/55#issuecomment-38333348 .

[edaniszewski]

the section of code in plot.c that is giving us trouble is:

            ddt = d1.tsys * (max - min) / max;
            if (d1.bsw)
                ddt = (max - min);
            if (d1.tsys > 0.0) {
                if (!d1.bsw || iav == 1) {
                    if (d1.caldone)
                        sprintf(txt, "fs %5.2fK Tant %4.1fK", ddt, d1.tant);
                    else
                        sprintf(txt, "fs %5.2fK pwr %4.1f", ddt, pwr);

Lines 300-308

This is all contained in a for loop that seems like it should loop 3 times. The first loop through is fine, the second loop through, it gets the buffer overflow on line 308 (last line in code snippet above), since char txt[80] and printing out the value of ddt, we get a very large negative number. Looking at where ddt was set (top of the code snippet), we found max = -1598689907, and min = 1051772663 which doesn't make sense, as the max is less than the min.

[acencini]

what is ddt? should it be signed or unsigned? i am confused as to why:

    max = 1e-6;
    min = 1e99;

as well, but it seems like this might be intentional, though who knows. i would think max and min would be flipped but do not know what the intent is.

longer view - if you convert from sprintf to snprintf and fix the length of the snprintf to be within the bounds of the buffer, would that help?

On Sat, Mar 22, 2014 at 12:02 PM, Erick Daniszewski < notifications@github.com> wrote:

the section of code in plot.c that is giving us trouble is:

        ddt = d1.tsys * (max - min) / max;
        if (d1.bsw)
            ddt = (max - min);
        if (d1.tsys > 0.0) {
            if (!d1.bsw || iav == 1) {
                if (d1.caldone)
                    sprintf(txt, "fs %5.2fK Tant %4.1fK", ddt, d1.tant);
                else
                    sprintf(txt, "fs %5.2fK pwr %4.1f", ddt, pwr);

Lines 300-308

This is all contained in a for loop that seems like it should loop 3 times. The first loop through is fine, the second loop through, it gets the buffer overflow on line 308 (last line in code snippet above), since char txt[80] and printing out the value of ddt, we get a very large negative number. Looking at where ddt was set (top of the code snippet), we found max = -1598689907, and min = 1051772663 which doesn't make sense, as the max is less than the min.

Reply to this email directly or view it on GitHubhttps://github.com/BenningtonCS/Telescope-2014/issues/55#issuecomment-38355332 .

[edaniszewski]

It looks like ddt is defined as a double. The max/min sizes are odd to me as well, but it does seem intentional the way it was written. The problem this results in on the UI, is that the temperature reported is a massive negative number, which is clearly wrong 1. because the number is unreasonable, 2. it is negative and measured in Kelvin.

As to what ddt may stand for, I am unsure. I searched the project folder and it appears it is only used in plot.c, but there is no description that I have found within the file that describes it. The only thing that comes to mind is it may be using the calculus notation of d/dt to describe the change in something...

I'll look into using snprintf

[edaniszewski]

It looks like using snprintf got rid of the buffer overflow problem, but the effect of a large temp readout still exist, and it doesn't appear to actually be displaying data from the feed/dongle.

[edaniszewski]

also, I just noticed, that the integral field, the field that keeps track of number of seconds passed is displaying as a negative NaN.

[edaniszewski]

It now appears that the result described below was a result of the way the debug message was printing out the values. I changed the debug messages and the data for simulated antenna motion seemed good, but the data for non-simulated antenna motion are still showing as obscenely large.

I took out some of the debug messages we had, just leaving ones printing out values, and ran srtn while antenna motion was simulated. Interestingly, there are times when values similarly large as ours flash by on screen. [ image below associated with crossed out text ]

[acencini]

this is not entirely relevant but may be something for people to tuck away for a time long in the future: http://danluu.com/edit-binary/

[edaniszewski]

We spent some time going over the code again tonight. Tried with a clean build -- got the same results as with our edited version of the code. The buffer overflow seems to be able to be 'fixed' in two ways -- increasing the allocated memory from 80 bytes to about 150 bytes, or using snprintf. While both methods prevent a buffer overflow, the data in the system is still incorrect, but we believe the problems are originating in plot.c, specifically the repaint function.

We attempted disabling the display by setting a flag in the config file, and the problems we were seeing did not exist, unsurprisingly since Repaint was not being called. We were still unable to get the rotator to move in the display-less mode.

[edaniszewski]

Doing some archaeology.. did a diff of srtnver2 and srtnver3 code and pushed it to the repo under out.txt. Will look through and see what changed and if any of the changes could be the culprit.

[acencini]

i'm groping here but what if you enable the -fstack-protector option in gcc (and set the damn buffer size in sport.c back to 13!).

i'm not sure if gcc on ubuntu is using the stack guard or not, but i'd like to see a clean build with and without the stack protector (-fnostack-protector) options. i am getting a sneaky suspicion that:

(a) y'all may be right about there being buffer overruns in the code and (b) they may have been there all along but not harmed anything but gcc on ubuntu might be guarding the stack causing the program to terminate

this is just a loopy guess.

actually, thinking a bit about the stack and all that it may be the case that a buffer overrun here or somewhere else is causing weirdness somewhere by pooping on the stack. everything we're dealing with is statically allocated (on the stack), so there is a reasonable chance that we are seeing something weird that has to do with our platform/compiler/architecture that may not be visible on another platform where the compiler/architecture organizes the program differently.

@hcrowl - this is a shot in the dark, but would you mind finding out what platform our colleague at wesleyan is running on? architecture (32/64 bit, assuming intel?) and os (flavor and version)? if we know of a "known good" platform, we might be able to backtrack and see if there are differences in our setup vs theirs that may be contributing to what we're seeing.

there are tools and techniques for debugging this type of problem (i must admit that i have a lot of experience with debugging but am constantly learning so this is something we'll all learn together), so we'll eventually figure out what's going on.

two things bother me terribly: -the min/max comparison seems wonky - nothing should be smaller than 1e99! -the sprintf format string is correctly formed and should limit the precision of the floating point representation of the values provided. this seems suspicious.

these may or may not be the problem, or just symptoms. such is debugging. we know the stack is getting smashed, so we'll need to look closely at it at critical points to see what's shaking.

more soon.

[acencini]

from the gcc man page:

-fstack-protector Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits.

       NOTE: In Ubuntu 6.10 and later versions this option is enabled by default for C, C++,
       ObjC, ObjC++, if none of -fno-stack-protector, -nostdlib, nor -ffreestanding are
       found.

use -fno-stack-protector with original buffer sizes and see what happens.

[acencini]

http://en.wikibooks.org/wiki/Linux_Applications_Debugging_Techniques/Stack_corruption

[acencini]

http://intquestion.wordpress.com/2008/09/14/how-to-debug-a-corrupted-stack/

we would occasionally ask devs this on interviews, but i never did. a good read.

[acencini]

[acencini]

[edaniszewski]

Tried using the flags you suggested.. it doesnt seem like either makes much of a difference from a clean install (only changes are in srtnmake to include gtk2.0+ and add the flag, and srt.cat to turn off rotator and dongle simulation)

-fstack-protector

edaniszewski@BCDL52255:~/radio/srtnver3$ ./srtnmake 
main.c: In function ‘main’:
main.c:62:12: warning: variable ‘secstart’ set but not used [-Wunused-but-set-variable]
main.c:60:12: warning: variable ‘ii’ set but not used [-Wunused-but-set-variable]
main.c:59:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
main.c: In function ‘gauss’:
main.c:555:16: warning: variable ‘j’ set but not used [-Wunused-but-set-variable]
vspectra_four.c: In function ‘vspectra’:
vspectra_four.c:33:28: warning: variable ‘min’ set but not used [-Wunused-but-set-variable]
vspectra_four.c:33:12: warning: variable ‘avsig’ set but not used [-Wunused-but-set-variable]
vspectra_four.c:31:43: warning: variable ‘r’ set but not used [-Wunused-but-set-variable]
disp.c: In function ‘clearpaint’:
disp.c:440:18: warning: variable ‘update_rect’ set but not used [-Wunused-but-set-variable]
outfile.c: In function ‘outfile’:
outfile.c:16:16: warning: variable ‘n’ set but not used [-Wunused-but-set-variable]
sport.c: In function ‘rot2’:
sport.c:402:25: warning: variable ‘i’ set but not used [-Wunused-but-set-variable]
sport.c:402:17: warning: variable ‘status’ set but not used [-Wunused-but-set-variable]
sport.c:408:15: warning: ignoring return value of ‘system’, declared with attribute warn_unused_result [-Wunused-result]
cal.c: In function ‘cal’:
cal.c:18:24: warning: variable ‘ixe’ set but not used [-Wunused-but-set-variable]
srthelp.c: In function ‘display_help’:
srthelp.c:39:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
srthelp.c: In function ‘load_help’:
srthelp.c:254:10: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result [-Wunused-result]
srthelp.c:258:14: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result [-Wunused-result]
velspec.c: In function ‘velspec’:
velspec.c:19:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
velspec.c: In function ‘vplot’:
velspec.c:162:15: warning: variable ‘jmax’ set but not used [-Wunused-but-set-variable]
librtlsdr.c: In function ‘rtlsdr_open’:
librtlsdr.c:1267:13: warning: variable ‘rt’ set but not used [-Wunused-but-set-variable]
tuner_r820t.c: In function ‘R828_RfGainMode’:
tuner_r820t.c:2859:11: warning: variable ‘LnaGain’ set but not used [-Wunused-but-set-variable]
tuner_r820t.c:2858:11: warning: variable ‘MixerGain’ set but not used [-Wunused-but-set-variable]
edaniszewski@BCDL52255:~/radio/srtnver3$ ./srtnmake 
main.c: In function ‘main’:
main.c:62:12: warning: variable ‘secstart’ set but not used [-Wunused-but-set-variable]
main.c:60:12: warning: variable ‘ii’ set but not used [-Wunused-but-set-variable]
main.c:59:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
main.c: In function ‘gauss’:
main.c:555:16: warning: variable ‘j’ set but not used [-Wunused-but-set-variable]
vspectra_four.c: In function ‘vspectra’:
vspectra_four.c:33:28: warning: variable ‘min’ set but not used [-Wunused-but-set-variable]
vspectra_four.c:33:12: warning: variable ‘avsig’ set but not used [-Wunused-but-set-variable]
vspectra_four.c:31:43: warning: variable ‘r’ set but not used [-Wunused-but-set-variable]
disp.c: In function ‘clearpaint’:
disp.c:440:18: warning: variable ‘update_rect’ set but not used [-Wunused-but-set-variable]
outfile.c: In function ‘outfile’:
outfile.c:16:16: warning: variable ‘n’ set but not used [-Wunused-but-set-variable]
sport.c: In function ‘rot2’:
sport.c:402:25: warning: variable ‘i’ set but not used [-Wunused-but-set-variable]
sport.c:402:17: warning: variable ‘status’ set but not used [-Wunused-but-set-variable]
sport.c:408:15: warning: ignoring return value of ‘system’, declared with attribute warn_unused_result [-Wunused-result]
cal.c: In function ‘cal’:
cal.c:18:24: warning: variable ‘ixe’ set but not used [-Wunused-but-set-variable]
srthelp.c: In function ‘display_help’:
srthelp.c:39:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
srthelp.c: In function ‘load_help’:
srthelp.c:254:10: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result [-Wunused-result]
srthelp.c:258:14: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result [-Wunused-result]
velspec.c: In function ‘velspec’:
velspec.c:19:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
velspec.c: In function ‘vplot’:
velspec.c:162:15: warning: variable ‘jmax’ set but not used [-Wunused-but-set-variable]
librtlsdr.c: In function ‘rtlsdr_open’:
librtlsdr.c:1267:13: warning: variable ‘rt’ set but not used [-Wunused-but-set-variable]
tuner_r820t.c: In function ‘R828_RfGainMode’:
tuner_r820t.c:2859:11: warning: variable ‘LnaGain’ set but not used [-Wunused-but-set-variable]
tuner_r820t.c:2858:11: warning: variable ‘MixerGain’ set but not used [-Wunused-but-set-variable]
edaniszewski@BCDL52255:~/radio/srtnver3$ sudo ./srtn
initializing antenna controller
*** buffer overflow detected ***: ./srtn terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x65)[0xb70d4065]
/lib/i386-linux-gnu/libc.so.6(+0x102e1a)[0xb70d2e1a]
/lib/i386-linux-gnu/libc.so.6(+0x102478)[0xb70d2478]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x91)[0xb7043501]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x80e)[0xb70132be]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xc9)[0xb70d2549]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0xb70d245f]
./srtn[0x8056bef]
./srtn[0x804af72]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb6fe94d3]
./srtn[0x804c245]
======= Memory map: ========
08048000-0806f000 r-xp 00000000 00:17 4727506    /home/edaniszewski/radio/srtnver3/srtn
0806f000-08070000 r--p 00026000 00:17 4727506    /home/edaniszewski/radio/srtnver3/srtn
08070000-08071000 rw-p 00027000 00:17 4727506    /home/edaniszewski/radio/srtnver3/srtn
08071000-08128000 rw-p 00000000 00:00 0 
09c1f000-09c40000 rw-p 00000000 00:00 0          [heap]
b676b000-b6787000 r-xp 00000000 08:05 5399475    /lib/i386-linux-gnu/libgcc_s.so.1
b6787000-b6788000 r--p 0001b000 08:05 5399475    /lib/i386-linux-gnu/libgcc_s.so.1
b6788000-b6789000 rw-p 0001c000 08:05 5399475    /lib/i386-linux-gnu/libgcc_s.so.1
b67a4000-b67a7000 rw-p 00000000 00:00 0 
b67a7000-b67ac000 r-xp 00000000 08:05 2450019    /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b67ac000-b67ad000 r--p 00004000 08:05 2450019    /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b67ad000-b67ae000 rw-p 00005000 08:05 2450019    /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b67ae000-b67b0000 r-xp 00000000 08:05 2450013    /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b67b0000-b67b1000 r--p 00001000 08:05 2450013    /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b67b1000-b67b2000 rw-p 00002000 08:05 2450013    /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b67b2000-b67b3000 rw-p 00000000 00:00 0 
b67b3000-b67f1000 r-xp 00000000 08:05 5399509    /lib/i386-linux-gnu/libpcre.so.3.13.1
b67f1000-b67f2000 r--p 0003d000 08:05 5399509    /lib/i386-linux-gnu/libpcre.so.3.13.1
b67f2000-b67f3000 rw-p 0003e000 08:05 5399509    /lib/i386-linux-gnu/libpcre.so.3.13.1
b67f3000-b6818000 r-xp 00000000 08:05 5399472    /lib/i386-linux-gnu/libexpat.so.1.6.0
b6818000-b681a000 r--p 00025000 08:05 5399472    /lib/i386-linux-gnu/libexpat.so.1.6.0
b681a000-b681b000 rw-p 00027000 08:05 5399472    /lib/i386-linux-gnu/libexpat.so.1.6.0
b681b000-b682e000 r-xp 00000000 08:05 5399517    /lib/i386-linux-gnu/libresolv-2.15.so
b682e000-b682f000 r--p 00013000 08:05 5399517    /lib/i386-linux-gnu/libresolv-2.15.so
b682f000-b6830000 rw-p 00014000 08:05 5399517    /lib/i386-linux-gnu/libresolv-2.15.so
b6830000-b6832000 rw-p 00000000 00:00 0 
b6832000-b684f000 r-xp 00000000 08:05 5399519    /lib/i386-linux-gnu/libselinux.so.1
b684f000-b6850000 r--p 0001c000 08:05 5399519    /lib/i386-linux-gnu/libselinux.so.1
b6850000-b6851000 rw-p 0001d000 08:05 5399519    /lib/i386-linux-gnu/libselinux.so.1
b6851000-b6852000 rw-p 00000000 00:00 0 
b6852000-b6869000 r-xp 00000000 08:05 5399535    /lib/i386-linux-gnu/libz.so.1.2.7
b6869000-b686a000 r--p 00016000 08:05 5399535    /lib/i386-linux-gnu/libz.so.1.2.7
b686a000-b686b000 rw-p 00017000 08:05 5399535    /lib/i386-linux-gnu/libz.so.1.2.7
b686b000-b6873000 r-xp 00000000 08:05 2498648    /usr/lib/i386-linux-gnu/libxcb-render.so.0.0.0
b6873000-b6874000 r--p 00008000 08:05 2498648    /usr/lib/i386-linux-gnu/libxcb-render.so.0.0.0
b6874000-b6875000 rw-p 00009000 08:05 2498648    /usr/lib/i386-linux-gnu/libxcb-render.so.0.0.0
b6875000-b6877000 r-xp 00000000 08:05 2498650    /usr/lib/i386-linux-gnu/libxcb-shm.so.0.0.0
b6877000-b6878000 r--p 00001000 08:05 2498650    /usr/lib/i386-linux-gnu/libxcb-shm.so.0.0.0
b6878000-b6879000 rw-p 00002000 08:05 2498650    /usr/lib/i386-linux-gnu/libxcb-shm.so.0.0.0
b6879000-b68a0000 r-xp 00000000 08:05 5399511    /lib/i386-linux-gnu/libpng12.so.0.49.0
b68a0000-b68a1000 r--p 00026000 08:05 5399511    /lib/i386-linux-gnu/libpng12.so.0.49.0
b68a1000-b68a2000 rw-p 00027000 08:05 5399511    /lib/i386-linux-gnu/libpng12.so.0.49.0
b68a2000-b6948000 r-xp 00000000 08:05 2498634    /usr/lib/i386-linux-gnu/libpixman-1.so.0.30.2
b6948000-b694d000 r--p 000a6000 08:05 2498634    /usr/lib/i386-linux-gnu/libpixman-1.so.0.30.2
b694d000-b694e000 rw-p 000ab000 08:05 2498634    /usr/lib/i386-linux-gnu/libpixman-1.so.0.30.2
b694e000-b694f000 rw-p 00000000 00:00 0 
b694f000-b6952000 r-xp 00000000 08:05 5399470    /lib/i386-linux-gnu/libdl-2.15.so
b6952000-b6953000 r--p 00002000 08:05 5399470    /lib/i386-linux-gnu/libdl-2.15.so
b6953000-b6954000 rw-p 00003000 08:05 5399470    /lib/i386-linux-gnu/libdl-2.15.so
b6954000-b6974000 r-xp 00000000 08:05 2450497    /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6974000-b6975000 r--p 0001f000 08:05 2450497    /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6975000-b6976000 rw-p 00020000 08:05 2450497    /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b6976000-b6a0b000 r-xp 00000000 08:05 2450178    /usr/lib/i386-linux-gnu/libfreetype.so.6.9.0
b6a0b000-b6a0f000 r--p 00094000 08:05 2450178    /usr/lib/i386-linux-gnu/libfreetype.so.6.9.0
b6a0f000-b6a10000 rw-p 00098000 08:05 2450178    /usr/lib/i386-linux-gnu/libfreetype.so.6.9.0
b6a10000-b6a17000 r-xp 00000000 08:05 5399518    /lib/i386-linux-gnu/librt-2.15.so
b6a17000-b6a18000 r--p 00006000 08:05 5399518    /lib/i386-linux-gnu/librt-2.15.so
b6a18000-b6a19000 rw-p 00007000 08:05 5399518    /lib/i386-linux-gnu/librt-2.15.so
b6a19000-b6a1e000 r-xp 00000000 08:05 2450145    /usr/lib/i386-linux-gnu/libffi.so.6.0.0
b6a1e000-b6a1f000 r--p 00005000 08:05 2450145    /usr/lib/i386-linux-gnu/libffi.so.6.0.0
b6a1f000-b6a20000 rw-p 00006000 08:05 2450145    /usr/lib/i386-linux-gnu/libffi.so.6.0.0
b6a20000-b6a21000 rw-p 00000000 00:00 0 
b6a21000-b6a24000 r-xp 00000000 08:05 2450205    /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0.3400.1
b6a24000-b6a25000 r--p 00002000 08:05 2450205    /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0.3400.1
b6a25000-b6a26000 rw-p 00003000 08:05 2450205    /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0.3400.1
b6a26000-b6a28000 r-xp 00000000 08:05 2450017    /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b6a28000-b6a29000 r--p 00001000 08:05 2450017    /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b6a29000-b6a2a000 rw-p 00002000 08:05 2450017    /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b6a2a000-b6a2c000 r-xp 00000000 08:05 2450015    /usr/lib/i386-linux-gnu/libXcomposite.so.1.0.0
b6a2c000-b6a2d000 r--p 00001000 08:05 2450015    /usr/lib/i386-linux-gnu/libXcomposite.so.1.0.0
b6a2d000-b6a2e000 rw-p 00002000 08:05 2450015    /usr/lib/i386-linux-gnu/libXcomposite.so.1.0.0
b6a2e000-b6a37000 r-xp 00000000 08:05 2498656    /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b6a37000-b6a38000 r--p 00008000 08:05 2498656    /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b6a38000-b6a39000 rw-p 00009000 08:05 2498656    /usr/lib/i386-linux-gnu/libXcursor.so.1.0.2
b6a39000-b6a42000 r-xp 00000000 08:05 2498662    /usr/lib/i386-linux-gnu/libXrandr.so.2.2.0
b6a42000-b6a43000 r--p 00008000 08:05 2498662    /usr/lib/i386-linux-gnu/libXrandr.so.2.2.0
b6a43000-b6a44000 rw-p 00009000 08:05 2498662    /usr/lib/i386-linux-gnu/libXrandr.so.2.2.0
b6a44000-b6a45000 rw-p 00000000 00:00 0 
b6a45000-b6a53000 r-xp 00000000 08:05 2498658    /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b6a53000-b6a54000 r--p 0000d000 08:05 2498658    /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b6a54000-b6a55000 rw-p 0000e000 08:05 2498658    /usr/lib/i386-linux-gnu/libXi.so.6.1.0
b6a55000-b6a57000 r-xp 00000000 08:05 2498660    /usr/lib/i386-linux-gnu/libXinerama.so.1.0.0
b6a57000-b6a58000 r--p 00001000 08:05 2498660    /usr/lib/i386-linux-gnu/libXinerama.so.1.0.0
b6a58000-b6a59000 rw-p 00002000 08:05 2498660    /usr/lib/i386-linux-gnu/libXinerama.so.1.0.0
b6a59000-b6a61000 r-xp 00000000 08:05 2498654    /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b6a61000-b6a62000 r--p 00008000 08:05 2498654    /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b6a62000-b6a63000 rw-p 00009000 08:05 2498654    /usr/lib/i386-linux-gnu/libXrender.so.1.3.0
b6a63000-b6a73000 r-xp 00000000 08:05 2498628    /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b6a73000-b6a74000 r--p 0000f000 08:05 2498628    /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b6a74000-b6a75000 rw-p 00010000 08:05 2498628    /usr/lib/i386-linux-gnu/libXext.so.6.4.0
b6a75000-b6b6f000 r-xp 00000000 08:05 5399477    /lib/i386-linux-gnu/libglib-2.0.so.0.3400.1
b6b6f000-b6b70000 r--p 000f9000 08:05 5399477    /lib/i386-linux-gnu/libglib-2.0.so.0.3400.1
b6b70000-b6b71000 rw-p 000fa000 08:05 5399477    /lib/i386-linux-gnu/libglib-2.0.so.0.3400.1
b6b71000-b6b72000 rw-p 00000000 00:00 0 
b6b72000-b6ba8000 r-xp 00000000 08:05 2450164    /usr/lib/i386-linux-gnu/libfontconfig.so.1.6.2
b6ba8000-b6ba9000 r--p 00036000 08:05 2450164    /usr/lib/i386-linux-gnu/libfontconfig.so.1.6.2
b6ba9000-b6baa000 rw-p 00037000 08:05 2450164    /usr/lib/i386-linux-gnu/libfontconfig.so.1.6.2
b6baa000-b6bd7000 r-xp 00000000 08:05 2450346    /usr/lib/i386-linux-gnu/libpangoft2-1.0.so.0.3000.1
b6bd7000-b6bd8000 r--p 0002c000 08:05 2450346    /usr/lib/i386-linux-gnu/libpangoft2-1.0.so.0.3000.1
b6bd8000-b6bd9000 rw-p 0002d000 08:05 2450346    /usr/lib/i386-linux-gnu/libpangoft2-1.0.so.0.3000.1
b6bd9000-b6d34000 r-xp 00000000 08:05 2450199    /usr/lib/i386-linux-gnu/libgio-2.0.so.0.3400.1
b6d34000-b6d36000 r--p 0015b000 08:05 2450199    /usr/lib/i386-linux-gnu/libgio-2.0.so.0.3400.1
b6d36000-b6d37000 rw-p 0015d000 08:05 2450199    /usr/lib/i386-linux-gnu/libgio-2.0.so.0.3400.1
b6d37000-b6d38000 rw-p 00000000 00:00 0 
b6d38000-b6d58000 r-xp 00000000 08:05 2450190    /usr/lib/i386-linux-gnu/libgdk_pixbuf-2.0.so.0.2600.4
b6d58000-b6d59000 r--p 0001f000 08:05 2450190    /usr/lib/i386-linux-gnu/libgdk_pixbuf-2.0.so.0.2600.4
b6d59000-b6d5a000 rw-p 00020000 08:05 2450190    /usr/lib/i386-linux-gnu/libgdk_pixbuf-2.0.so.0.2600.4
b6d5a000-b6e60000 r-xp 00000000 08:05 2450081    /usr/lib/i386-linux-gnu/libcairo.so.2.11200.2
b6e60000-b6e62000 r--p 00106000 08:05 2450081    /usr/lib/i386-linux-gnu/libcairo.so.2.11200.2
b6e62000-b6e63000 rw-p 00108000 08:05 2450081    /usr/lib/i386-linux-gnu/libcairo.so.2.11200.2
b6e63000-b6e65000 rw-p 00000000 00:00 0 
b6e65000-b6e83000 r-xp 00000000 08:05 2450052    /usr/lib/i386-linux-gnu/libatk-1.0.so.0.20609.1
b6e83000-b6e85000 r--p 0001d000 08:05 2450052    /usr/lib/i386-linux-gnu/libatk-1.0.so.0.20609.1edaniszewski@BCDL52255:~/radio/srtnver3$ 

-fno-stack-protector

edaniszewski@BCDL52255:~/radio/srtnver3$ ./srtnmake 
main.c: In function ‘main’:
main.c:62:12: warning: variable ‘secstart’ set but not used [-Wunused-but-set-variable]
main.c:60:12: warning: variable ‘ii’ set but not used [-Wunused-but-set-variable]
main.c:59:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
main.c: In function ‘gauss’:
main.c:555:16: warning: variable ‘j’ set but not used [-Wunused-but-set-variable]
vspectra_four.c: In function ‘vspectra’:
vspectra_four.c:33:28: warning: variable ‘min’ set but not used [-Wunused-but-set-variable]
vspectra_four.c:33:12: warning: variable ‘avsig’ set but not used [-Wunused-but-set-variable]
vspectra_four.c:31:43: warning: variable ‘r’ set but not used [-Wunused-but-set-variable]
disp.c: In function ‘clearpaint’:
disp.c:440:18: warning: variable ‘update_rect’ set but not used [-Wunused-but-set-variable]
outfile.c: In function ‘outfile’:
outfile.c:16:16: warning: variable ‘n’ set but not used [-Wunused-but-set-variable]
sport.c: In function ‘rot2’:
sport.c:402:25: warning: variable ‘i’ set but not used [-Wunused-but-set-variable]
sport.c:402:17: warning: variable ‘status’ set but not used [-Wunused-but-set-variable]
sport.c:408:15: warning: ignoring return value of ‘system’, declared with attribute warn_unused_result [-Wunused-result]
cal.c: In function ‘cal’:
cal.c:18:24: warning: variable ‘ixe’ set but not used [-Wunused-but-set-variable]
srthelp.c: In function ‘display_help’:
srthelp.c:39:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
srthelp.c: In function ‘load_help’:
srthelp.c:254:10: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result [-Wunused-result]
srthelp.c:258:14: warning: ignoring return value of ‘fgets’, declared with attribute warn_unused_result [-Wunused-result]
velspec.c: In function ‘velspec’:
velspec.c:19:14: warning: variable ‘color’ set but not used [-Wunused-but-set-variable]
velspec.c: In function ‘vplot’:
velspec.c:162:15: warning: variable ‘jmax’ set but not used [-Wunused-but-set-variable]
librtlsdr.c: In function ‘rtlsdr_open’:
librtlsdr.c:1267:13: warning: variable ‘rt’ set but not used [-Wunused-but-set-variable]
tuner_r820t.c: In function ‘R828_RfGainMode’:
tuner_r820t.c:2859:11: warning: variable ‘LnaGain’ set but not used [-Wunused-but-set-variable]
tuner_r820t.c:2858:11: warning: variable ‘MixerGain’ set but not used [-Wunused-but-set-variable]
edaniszewski@BCDL52255:~/radio/srtnver3$ sudo ./srtn
initializing antenna controller
*** buffer overflow detected ***: ./srtn terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x65)[0xb7034065]
/lib/i386-linux-gnu/libc.so.6(+0x102e1a)[0xb7032e1a]
/lib/i386-linux-gnu/libc.so.6(+0x102478)[0xb7032478]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x91)[0xb6fa3501]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x80e)[0xb6f732be]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xc9)[0xb7032549]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0xb703245f]
./srtn[0x805698d]
./srtn[0x804aeba]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb6f494d3]
./srtn[0x804c151]
======= Memory map: ========
08048000-0806f000 r-xp 00000000 00:17 4727506    /home/edaniszewski/radio/srtnver3/srtn
0806f000-08070000 r--p 00026000 00:17 4727506    /home/edaniszewski/radio/srtnver3/srtn
08070000-08071000 rw-p 00027000 00:17 4727506    /home/edaniszewski/radio/srtnver3/srtn
08071000-08128000 rw-p 00000000 00:00 0 
0924c000-0926d000 rw-p 00000000 00:00 0          [heap]
b66cb000-b66e7000 r-xp 00000000 08:05 5399475    /lib/i386-linux-gnu/libgcc_s.so.1
b66e7000-b66e8000 r--p 0001b000 08:05 5399475    /lib/i386-linux-gnu/libgcc_s.so.1
b66e8000-b66e9000 rw-p 0001c000 08:05 5399475    /lib/i386-linux-gnu/libgcc_s.so.1
b6704000-b6707000 rw-p 00000000 00:00 0 
b6707000-b670c000 r-xp 00000000 08:05 2450019    /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b670c000-b670d000 r--p 00004000 08:05 2450019    /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b670d000-b670e000 rw-p 00005000 08:05 2450019    /usr/lib/i386-linux-gnu/libXdmcp.so.6.0.0
b670e000-b6710000 r-xp 00000000 08:05 2450013    /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6710000-b6711000 r--p 00001000 08:05 2450013    /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6711000-b6712000 rw-p 00002000 08:05 2450013    /usr/lib/i386-linux-gnu/libXau.so.6.0.0
b6712000-b6713000 rw-p 00000000 00:00 0 
b6713000-b6751000 r-xp 00000000 08:05 5399509    /lib/i386-linux-gnu/libpcre.so.3.13.1
b6751000-b6752000 r--p 0003d000 08:05 5399509    /lib/i386-linux-gnu/libpcre.so.3.13.1
b6752000-b6753000 rw-p 0003e000 08:05 5399509    /lib/i386-linux-gnu/libpcre.so.3.13.1
b6753000-b6778000 r-xp 00000000 08:05 5399472    /lib/i386-linux-gnu/libexpat.so.1.6.0
b6778000-b677a000 r--p 00025000 08:05 5399472    /lib/i386-linux-gnu/libexpat.so.1.6.0
b677a000-b677b000 rw-p 00027000 08:05 5399472    /lib/i386-linux-gnu/libexpat.so.1.6.0
b677b000-b678e000 r-xp 00000000 08:05 5399517    /lib/i386-linux-gnu/libresolv-2.15.so
b678e000-b678f000 r--p 00013000 08:05 5399517    /lib/i386-linux-gnu/libresolv-2.15.so
b678f000-b6790000 rw-p 00014000 08:05 5399517    /lib/i386-linux-gnu/libresolv-2.15.so
b6790000-b6792000 rw-p 00000000 00:00 0 
b6792000-b67af000 r-xp 00000000 08:05 5399519    /lib/i386-linux-gnu/libselinux.so.1
b67af000-b67b0000 r--p 0001c000 08:05 5399519    /lib/i386-linux-gnu/libselinux.so.1
b67b0000-b67b1000 rw-p 0001d000 08:05 5399519    /lib/i386-linux-gnu/libselinux.so.1
b67b1000-b67b2000 rw-p 00000000 00:00 0 
b67b2000-b67c9000 r-xp 00000000 08:05 5399535    /lib/i386-linux-gnu/libz.so.1.2.7
b67c9000-b67ca000 r--p 00016000 08:05 5399535    /lib/i386-linux-gnu/libz.so.1.2.7
b67ca000-b67cb000 rw-p 00017000 08:05 5399535    /lib/i386-linux-gnu/libz.so.1.2.7
b67cb000-b67d3000 r-xp 00000000 08:05 2498648    /usr/lib/i386-linux-gnu/libxcb-render.so.0.0.0
b67d3000-b67d4000 r--p 00008000 08:05 2498648    /usr/lib/i386-linux-gnu/libxcb-render.so.0.0.0
b67d4000-b67d5000 rw-p 00009000 08:05 2498648    /usr/lib/i386-linux-gnu/libxcb-render.so.0.0.0
b67d5000-b67d7000 r-xp 00000000 08:05 2498650    /usr/lib/i386-linux-gnu/libxcb-shm.so.0.0.0
b67d7000-b67d8000 r--p 00001000 08:05 2498650    /usr/lib/i386-linux-gnu/libxcb-shm.so.0.0.0
b67d8000-b67d9000 rw-p 00002000 08:05 2498650    /usr/lib/i386-linux-gnu/libxcb-shm.so.0.0.0
b67d9000-b6800000 r-xp 00000000 08:05 5399511    /lib/i386-linux-gnu/libpng12.so.0.49.0
b6800000-b6801000 r--p 00026000 08:05 5399511    /lib/i386-linux-gnu/libpng12.so.0.49.0
b6801000-b6802000 rw-p 00027000 08:05 5399511    /lib/i386-linux-gnu/libpng12.so.0.49.0
b6802000-b68a8000 r-xp 00000000 08:05 2498634    /usr/lib/i386-linux-gnu/libpixman-1.so.0.30.2
b68a8000-b68ad000 r--p 000a6000 08:05 2498634    /usr/lib/i386-linux-gnu/libpixman-1.so.0.30.2
b68ad000-b68ae000 rw-p 000ab000 08:05 2498634    /usr/lib/i386-linux-gnu/libpixman-1.so.0.30.2
b68ae000-b68af000 rw-p 00000000 00:00 0 
b68af000-b68b2000 r-xp 00000000 08:05 5399470    /lib/i386-linux-gnu/libdl-2.15.so
b68b2000-b68b3000 r--p 00002000 08:05 5399470    /lib/i386-linux-gnu/libdl-2.15.so
b68b3000-b68b4000 rw-p 00003000 08:05 5399470    /lib/i386-linux-gnu/libdl-2.15.so
b68b4000-b68d4000 r-xp 00000000 08:05 2450497    /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b68d4000-b68d5000 r--p 0001f000 08:05 2450497    /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b68d5000-b68d6000 rw-p 00020000 08:05 2450497    /usr/lib/i386-linux-gnu/libxcb.so.1.1.0
b68d6000-b696b000 r-xp 00000000 08:05 2450178    /usr/lib/i386-linux-gnu/libfreetype.so.6.9.0
b696b000-b696f000 r--p 00094000 08:05 2450178    /usr/lib/i386-linux-gnu/libfreetype.so.6.9.0
b696f000-b6970000 rw-p 00098000 08:05 2450178    /usr/lib/i386-linux-gnu/libfreetype.so.6.9.0
b6970000-b6977000 r-xp 00000000 08:05 5399518    /lib/i386-linux-gnu/librt-2.15.so
b6977000-b6978000 r--p 00006000 08:05 5399518    /lib/i386-linux-gnu/librt-2.15.so
b6978000-b6979000 rw-p 00007000 08:05 5399518    /lib/i386-linux-gnu/librt-2.15.so
b6979000-b697e000 r-xp 00000000 08:05 2450145    /usr/lib/i386-linux-gnu/libffi.so.6.0.0
b697e000-b697f000 r--p 00005000 08:05 2450145    /usr/lib/i386-linux-gnu/libffi.so.6.0.0
b697f000-b6980000 rw-p 00006000 08:05 2450145    /usr/lib/i386-linux-gnu/libffi.so.6.0.0
b6980000-b6981000 rw-p 00000000 00:00 0 
b6981000-b6984000 r-xp 00000000 08:05 2450205    /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0.3400.1
b6984000-b6985000 r--p 00002000 08:05 2450205    /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0.3400.1
b6985000-b6986000 rw-p 00003000 08:05 2450205    /usr/lib/i386-linux-gnu/libgmodule-2.0.so.0.3400.1
b6986000-b6988000 r-xp 00000000 08:05 2450017    /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0
b6988000-b6989000 r--p 00001000 08:05 2450017    /usr/lib/i386-linux-gnu/libXdamage.so.1.1.0edaniszewski@BCDL52255:~/radio/srtnver3$ 

[acencini]

ok well i guess we can check that one off the list

i'm curious to see what platform is being used at wesleyan. obviously, something's not right here and we should debug the hell out of it, but i'm curious why this very workaday stuff would work for them.

also, with srtn v2 we should be able to simulate the antenna and make the rotator work, right? in that case we should theoretically see the buffer overflow in the cmd buffer in v2 since none of that code is different, right?

on the one hand, v2 is very similar to v3, but on the other hand, uh... it's not? in other words, i'm hoping v2 crashes "out of the box", as that would mean we live in an orderly universe and have a common problem on our hands. if it doesn't, then something is seriously horked in v3 and we have a carnival of sadness on our hands for real.

[edaniszewski]

I'm planning on trying out v2 tomorrow morning and seeing how that goes.. hopefully the universe is right and it breaks too? I guess we'll see!! Updates in the morning!

[edaniszewski]

[acencini]

see issue 67 re: the platform. if we can get things working on RHEL, then we can find and fix these problems (which iMHO are very real) at a more leisurely pace. and document all of this :)

[edaniszewski]

The universe is consistent. v2 has the same problems as v3 -- buffer overflow in sport.c, rot2() function, and buffer overflow in plot.c, Repaint() function. The same patches we applied in our v3 code were applied in the v2 code (changing buffer size from 13 to 14 in sport.c, and changing sprintf to snprintf in plot.c) and it appears the same absurdly large min value exists again and generates the same problems on the UI.

[acencini]

ok good to know!

perhaps RHEL will solve all our problems and we can investigate this in a more orderly fashion. actually, i am going to see if we can spend some time in OS looking at debugging this (if we have a comparable RHEL instance up and running by then) since it is a great way to look at process space organization!

On Wed, Mar 26, 2014 at 9:57 AM, Erick Daniszewski <notifications@github.com

wrote:

The universe is consistent. v2 has the same problems as v3 -- buffer overflow in sport.c, rot2() function, and buffer overflow in plot.c, Repaint() function. The same patches we applied in our v3 code were applied in the v2 code (changing buffer size from 13 to 14 in sport.c, and changing sprintf to snprintf in plot.c) and it appears the same absurdly large min value exists again and generates the same problems on the UI.

Reply to this email directly or view it on GitHubhttps://github.com/BenningtonCS/Telescope-2014/issues/55#issuecomment-38685812 .

[acencini]

http://askubuntu.com/questions/318315/how-can-i-temporarily-disable-aslr-address-space-layout-randomization

this is how to disable address space layout randomization on ubuntu, btw.

and, happy birthday (yesterday), Erick:

[edaniszewski]

Thanks!! I like the dog-lobster - it looks like my dog, except red!

[edaniszewski]

Dependent on #67

[edaniszewski]

With 67 done, all we have to do for this is see if we still get the buffer overflow problem on Linux! If not, I'd say its good to close.

[acencini]

as this is known to be related to ubuntu not being srtn friendly, we should close all of the bugs we are sure are related to that scenario and open a single tracking work item which is just "make srtn work on ubuntu"

[edaniszewski]

I'll raise an issue for that now