debcrafters-packages team mailing list archive

Thread
Date
[Bug 2091440] Re: [UBUNTU 24.10] lftp: buffer overflow detected when accessing z/VM FTP server and changing the directory

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Christian Ehrhardt <2091440@xxxxxxxxxxxxxxxxxx>
Date: Mon, 21 Jul 2025 16:41:46 -0000
Reply-to: Bug 2091440 <2091440@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Different examples

#8  0x00007ffff793ed35 in __GI___strcpy_chk (dest=0x7fffffffbdbe "",
src=0x7fffffffbddc "S1LP1", destlen=4) at ./debug/strcpy_chk.c:30

#8  0x00007ffff793e4b5 in __GI___strcpy_chk (dest=0x7fffffffbdae "",
src=0x7fffffffbdcc "hwe0003.191", destlen=10) at ./debug/strcpy_chk.c:30

See how this is too short by one at least?
Debugging this together we found that the s390x ftp does deliver a path which is not absolute nor really relative

BTW we can break it with debug enabled that helps debugging.
To do so we need to keep -O2 and all the LTO and extra fortification.

It delivers this:
(gdb) p path2
$5 = 0x7fffffffbc40 "HWE0003.191/S1LP1"

the lftp code then adds the prefix "~/"
And that is added to the tokenized string that is built which breaks the length.

This fails when ! AbsolutePath

Dirty fix which worked in a try
instead of
      char *path2=alloca_strdup(path); // to re-assemble
use
      char *path2=alloca_strdup2(path,2); // to re-assemble + add space for potential ~/
^^ code suggestion credit goes to by Jonas Jelten

See:

Breakpoint 1, Ftp::SendCWD (this=this@entry=0x555555741b50, path=path@entry=0x5555557ad7b0 "HWE0003.191/S1LP1", path_url=0x0, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/ftpclass.cc:622
622	{
(gdb) n
624	   if(QueryTriBool("ftp:use-tvfs",0,conn->tvfs_supported)) {
(gdb) n
628	   } else if(path_url) {
(gdb) 
653	      char *path1=alloca_strdup(path); // to split it
(gdb) 
654	      char *path2=alloca_strdup(path); // to re-assemble
(gdb) p path1
$3 = 0x7fffffffbc60 "HWE0003.191/S1LP1"
(gdb) p path2
$4 = <optimized out>
(gdb) n
655	      if(AbsolutePath(path)) {
(gdb) p path2
$5 = 0x7fffffffbc40 "HWE0003.191/S1LP1"
(gdb) n
687		 strcpy(path2,"~");
(gdb) 
688		 if(path1[0]=='~') {
(gdb) p path2
$6 = 0x7fffffffbc40 "~"
(gdb) n
694		 if(real_cwd && strcmp(real_cwd,"~")
(gdb) p real_cwd
$7 = {<xstring0> = {buf = 0x55555575f2e0 "HWE0003.191"}, size = 12, len = 11}
(gdb) n
695		 && (!home.path || strcmp(real_cwd,home.path))) {
(gdb) n
701	      int path2_len=strlen(path2);
(gdb) p path2_len
$8 = <optimized out>
(gdb) p path2
$9 = 0x7fffffffbc40 "~"
(gdb) n
702	      for(char *dir=strtok(path1,"/"); dir; dir=strtok(NULL,"/")) {
(gdb) p path2_len
$10 = 1
(gdb) p path1
$11 = 0x7fffffffbc60 "HWE0003.191/S1LP1"
(gdb) n
703		 if(path2_len>0 && path2[path2_len-1]!='/') {
(gdb) n
704		    strcpy(path2+path2_len,"/");
(gdb) n
705		    path2_len++;
(gdb) n
707		 strcpy(path2+path2_len,dir);
(gdb) p path2_len
$12 = 2
(gdb) p path2
$13 = 0x7fffffffbc40 "~/"
(gdb) p dir
$14 = 0x7fffffffbc60 "HWE0003.191"
(gdb) n
708		 path2_len+=strlen(dir);
(gdb) n
Ftp::SendCWD (this=this@entry=0x555555741b50, path=path@entry=0x5555557ad7b0 "HWE0003.191/S1LP1", path_url=<optimized out>, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/Ref.h:37
37	   T *operator->() const { return ptr; }
(gdb) return 
Make Ftp::SendCWD(char const*, char const*, Ftp::Expect::expect_t) return now? (y or n) n
Not confirmed
(gdb) n
Ftp::SendCWD (this=this@entry=0x555555741b50, path=path@entry=0x5555557ad7b0 "HWE0003.191/S1LP1", path_url=<optimized out>, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/ftpclass.cc:710
710		 expect->Push(new Expect(Expect::CWD_CURR,path2));
(gdb) n
702	      for(char *dir=strtok(path1,"/"); dir; dir=strtok(NULL,"/")) {
(gdb) n
703		 if(path2_len>0 && path2[path2_len-1]!='/') {
(gdb) p path2_len
$15 = 13
(gdb) p dir
$16 = 0x7fffffffbc6c "S1LP1"
(gdb) p path2
$17 = 0x7fffffffbc40 "~/HWE0003.191"
(gdb) n
704		    strcpy(path2+path2_len,"/");
(gdb) n
705		    path2_len++;
(gdb) n
707		 strcpy(path2+path2_len,dir);
(gdb) p path2_len
$18 = 14
(gdb) p path2
$19 = 0x7fffffffbc40 "~/HWE0003.191/"
(gdb) p dir
$20 = 0x7fffffffbc6c "S1LP1"
(gdb) n
*** buffer overflow detected ***: terminated

Program received signal SIGABRT, Aborted.
Download failed: Invalid argument.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) at ./nptl/pthread_kill.c:44
warning: 44	./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=6, no_tid=0) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (threadid=<optimized out>, signo=6) at ./nptl/pthread_kill.c:89
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:100
#3  0x00007ffff784279e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff78258cd in __GI_abort () at ./stdlib/abort.c:73
#5  0x00007ffff7826909 in __libc_message_impl (fmt=fmt@entry=0x7ffff79d879a "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:134
#6  0x00007ffff793d8f9 in __GI___fortify_fail (msg=msg@entry=0x7ffff79d8781 "buffer overflow detected") at ./debug/fortify_fail.c:24
#7  0x00007ffff793d274 in __GI___chk_fail () at ./debug/chk_fail.c:28
#8  0x00007ffff793ed35 in __GI___strcpy_chk (dest=0x7fffffffbc4e "", src=0x7fffffffbc6c "S1LP1", destlen=4) at ./debug/strcpy_chk.c:30
#9  0x0000555555640920 in strcpy (__dest=<optimized out>, __src=<optimized out>, __dest=<optimized out>, __src=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:81
#10 Ftp::SendCWD (this=this@entry=0x555555741b50, path=path@entry=0x5555557ad7b0 "HWE0003.191/S1LP1", path_url=<optimized out>, 
    c=c@entry=Ftp::Expect::CWD) at /root/lftp-4.9.2/src/ftpclass.cc:707
#11 0x00005555556471a4 in Ftp::Do (this=0x555555741b50) at /root/lftp-4.9.2/src/xstring.h:115
#12 0x0000555555608a5a in SMTask::Roll (task=0x555555741b50) at /root/lftp-4.9.2/src/SMTask.cc:171
#13 SMTask::Roll (task=0x555555741b50) at /root/lftp-4.9.2/src/SMTask.cc:165
#14 0x00005555555b7ba5 in SMTask::Roll (this=<optimized out>, this=<optimized out>) at /root/lftp-4.9.2/src/SMTask.h:123
#15 CmdExec::builtin_cd (this=0x555555732810) at /root/lftp-4.9.2/src/commands.cc:642
#16 0x00005555555abd62 in CmdExec::exec_parsed_command (this=this@entry=0x555555732810) at /root/lftp-4.9.2/src/CmdExec.cc:237
#17 0x00005555555ae875 in CmdExec::Do (this=0x555555732810) at /root/lftp-4.9.2/src/CmdExec.cc:500
#18 0x0000555555608b95 in SMTask::ScheduleThis (this=0x555555732810) at /root/lftp-4.9.2/src/SMTask.cc:209
#19 0x000055555560c52a in SMTask::Schedule () at /root/lftp-4.9.2/src/SMTask.cc:248
#20 0x00005555555a842d in Job::WaitDone (this=0x555555732810) at /root/lftp-4.9.2/src/Job.cc:557
#21 0x00005555555a1cef in main (argc=4, argv=0x7fffffffe228) at /root/lftp-4.9.2/src/SMTask.h:164

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to lftp in Ubuntu.
https://bugs.launchpad.net/bugs/2091440

Title:
  [UBUNTU 24.10] lftp: buffer overflow detected when accessing z/VM FTP
  server and changing the directory

Status in Ubuntu on IBM z Systems:
  Triaged
Status in lftp package in Ubuntu:
  New
Status in lftp source package in Noble:
  New
Status in lftp source package in Oracular:
  Won't Fix
Status in lftp source package in Plucky:
  New

Bug description:
  ---Problem Description---
  lftp: buffer overflow detected when accessing z/VM FTP server and changing the directory
   
  ---uname output---
  Linux lnxzvmd1 6.11.0-9-generic #9-Ubuntu SMP Mon Oct 14 12:18:15 UTC 2024 s390x s390x s390x GNU/Linux
   
  ---Steps to Reproduce---
   1. Connect with lftp to z/VM FTP server: 

  lftp -u hartmafk gdlvm7.pok.ibm.com

  2. Validate correct connection:

  ls
  > BOOKM    FILE     V         65          9          1 2016-08-10 04:45:31 HAR191
  > CPFMTXA  EXCORIG  V         63        711          7 2005-10-10 07:52:28 HAR191
  > CPFMTXA  EXEC     V         63        711          7 2005-10-10 07:52:28 HAR191
  > CPFMTXA  MODORIG  V         96          3          1 2005-10-14 09:30:44 HAR191
  > CPFMTXA  MODULE   V         96          3          1 2005-10-14 09:30:44 HAR191
  > CRUISE   LASTCMDS V         88         53          1 2024-12-04 09:28:24 HAR191
  > DDOPTS   OPTIONS  V         58          1          1 2002-12-03 16:26:24 HAR191

  3. Change directory to SFS directory or minidisk:

  cd HARTMAFK.191
  *** buffer overflow detected ***: terminated
  Aborted

  
   
  Machine Type = IBM/S390 3906 
   
  ---Debugger---
  A debugger is not configured
   
  Contact Information = frederik.hartmann@xxxxxxxxxx 
   
  Userspace tool common name: lftp 
   
  The userspace tool has the following bit modes: 64 

  Userspace rpm: lftp

  Userspace tool obtained from project website:  4.9.2-3ubuntu1 
   
  *Additional Instructions for frederik.hartmann@xxxxxxxxxx: 
  -Post a private note with access information to the machine that the bug is occuring on.
  -Attach ltrace and strace of userspace application.

  ===============================================================================
  This issue can only be reproduced when lftp is compiled without debug option.

  I was able to reproduce this issue with a self compiled lftp 4.9.3 on
  s390x with the default build and with a plain ./configure, I was NOT
  able to reproduce this issue with ./configure --with-debug

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2091440/+subscriptions