search

Quadsam / dmenu-statusbar

A statusbar for dmenu
GNU Affero General Public License v3.0
1 stars 0 forks source link

Buffer Overflow #5

Open Quadsam opened 3 weeks ago

Quadsam commented 3 weeks ago

Getting a buffer overflow and coredump, not sure what is causing the issue yet.

Seems to be when writing to the status variable

Logs

Coredump info coredumpctl info 1963

           PID: 1963 (dmenustatus)
           UID: 1000 (quadsam)
           GID: 1000 (quadsam)
        Signal: 6 (ABRT)
     Timestamp: Sun 2024-08-18 12:17:25 MDT (8min ago)
  Command Line: /usr/bin/dmenustatus -f -q
    Executable: /usr/bin/dmenustatus
 Control Group: /user.slice/user-1000.slice/session-3.scope
          Unit: session-3.scope
         Slice: user-1000.slice
       Session: 3
     Owner UID: 1000 (quadsam)
       Boot ID: 3406a54e8da94db59462c720ba6752cb
    Machine ID: ad8d4ef758a94aa392d9417cd7457b6d
      Hostname: pegasus
       Storage: /var/lib/systemd/coredump/core.dmenustatus.1000.3406a54e8da94db59462c720ba6752cb.1963.1724005045000000.zst (present)
  Size on Disk: 40.2K
       Message: Process 1963 (dmenustatus) of user 1000 dumped core.

                Stack trace of thread 1963:
                #0  0x0000716af519d3f4 n/a (libc.so.6 + 0x963f4)
                #1  0x0000716af5144120 raise (libc.so.6 + 0x3d120)
                #2  0x0000716af512b4c3 abort (libc.so.6 + 0x244c3)
                #3  0x0000716af512c354 n/a (libc.so.6 + 0x25354)
                #4  0x0000716af522c799 __fortify_fail (libc.so.6 + 0x125799)
                #5  0x0000716af522c124 __chk_fail (libc.so.6 + 0x125124)
                #6  0x0000716af522db1a __strcat_chk (libc.so.6 + 0x126b1a)
                #7  0x00005c658482c381 strcat (dmenustatus + 0x1381)
                #8  0x0000716af512ce08 n/a (libc.so.6 + 0x25e08)
                #9  0x0000716af512cecc __libc_start_main (libc.so.6 + 0x25ecc)
                #10 0x00005c658482c945 _start (dmenustatus + 0x1945)
                ELF object binary architecture: AMD x86-64

Backtrace from GDB gdb> thread apply all backtrace full

Thread 1 (Thread 0x716af50ce2c0 (LWP 1963)):
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
        tid = <optimized out>
        ret = 0
        pd = <optimized out>
        old_mask = {__val = {23}}
        ret = <optimized out>
#1  0x0000716af519d463 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:78
No locals.
#2  0x0000716af5144120 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
        ret = <optimized out>
#3  0x0000716af512b4c3 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x20, sa_sigaction = 0x20}, sa_mask = {__val = {6786648855210017280, 0, 140721397189936, 101591911342992, 101591911411072, 100, 32, 140721397190128, 124704192526143, 101591911343744, 101591911343751, 101591911343752, 0, 140720308486146, 124704193122162, 1088703904}}, sa_flags = 907723264, sa_restorer = 0xb}
#4  0x0000716af512c354 in __libc_message_impl (fmt=fmt@entry=0x716af52ba16c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:132
        ap = {{gp_offset = 16, fp_offset = 23653, overflow_arg_area = 0x7ffc40e44ec0, reg_save_area = 0x7ffc40e44e50}}
        fd = 2
        iov = {{iov_base = 0x716af52ba16c, iov_len = 4}, {iov_base = 0x716af52ba153, iov_len = 24}, {iov_base = 0x716af52ba172, iov_len = 17}, {iov_base = 0x3000000030, iov_len = 140721397190376}, {iov_base = 0x7ffc40e44e20, iov_len = 6786648855210017280}, {iov_base = 0x7ffc40e44e60, iov_len = 124704192628220}, {iov_base = 0x5c65b5c98010, iov_len = 528}}
        iovcnt = <optimized out>
        total = <optimized out>
        cp = <optimized out>
#5  0x0000716af522c799 in __GI___fortify_fail (msg=msg@entry=0x716af52ba153 "buffer overflow detected") at fortify_fail.c:24
No locals.
#6  0x0000716af522c124 in __GI___chk_fail () at chk_fail.c:28
No locals.
#7  0x0000716af522db1a in __strcat_chk (dest=dest@entry=0x5c65b5c9a390 " 12:17:25 PM | 08/18/2024 | 100°C | 100% ", src=src@entry=0x5c65b5c9a680 "| 100% ", destlen=<optimized out>, destlen@entry=42) at strcat_chk.c:34
        s1 = <optimized out>
        s2 = <optimized out>
        c = <optimized out>
#8  0x00005c658482c381 in strcat (__dest=0x5c65b5c9a390 " 12:17:25 PM | 08/18/2024 | 100°C | 100% ", __src=0x5c65b5c9a680 "| 100% ") at /usr/include/bits/string_fortified.h:140
No locals.
#9  main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/dmenustatus/dmenustatus/src/dmenustatus.c:87
        step = 1
        status = 0x5c65b5c9a390 " 12:17:25 PM | 08/18/2024 | 100°C | 100% "
        datetime_buff = 0x5c65b5c9a9a0 " 12:17:25 PM | 08/18/2024 "
        cputemp_buff = 0x5c65b5c9a450 "| 100°C "
        battery_buff = 0x5c65b5c9a680 "| 100% "
Quadsam commented 3 weeks ago

Issue is at line 87 of dmenustatus.c, when writing the battery_buff to status

https://github.com/Quadsam/dmenu-statusbar/blob/c1a6ea8f9f6a37cd6148c38a253e6f9400cc8761/src/dmenustatus.c#L87