[rrd-developers] segfaulting bug in rrdtool/rrdcached

James Brown jbrown at yelp.com
Wed Dec 28 02:40:47 CET 2011 

There's a bug in the current HEAD of rrdtool (and I suppose going back to
mid-2007, from the svn blame output) which causes it to segfault if you
point it at an rrdcached socket which isn't writable. I've attached a patch
against trunk, and reproduction steps are below:

cd ~
mkdir rrds/
rrdtool create rrds/test.rrd DS:data:GAUGE:360:U:U RRA:MAX:0.5:1:120 -s 1
rrdtool update rrds/test.rrd N:0
rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s)
DEF:ds0=$HOME/rrds/test.rrd:data:MAX XPORT:ds0     *(this one should work)*
rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s) --daemon
$HOME/this_path_does_not_exist.sock DEF:ds0=$HOME/rrds/test.rrd:data:MAX
XPORT:ds0    *(this one should segfault)*

rrdtool is assuming that rrd_xport will always return -1 on failure;
however, rrd_xport returns errno (which is, generally, not -1) if
rrd_client fails. I figured it was easier to change rrdtool than to change
everything in rrd_client. For good measure, I also changed the checks on
the calls to rrd_fetch and rrd_graph. I'm not sure if they're susceptible
to the same problem, but, well, better to check for the one thing you do
what you want than to enumerate all the possible things you don't want.

This segfault is caused by an uninitialized variable use (in particular,
legend_v and col_cnt end up being used and passed to printf uninitialized).
Nothing offhand jumped out at me as easily-exploitable to do code
injection, but I only spent five or so minutes looking at it, so there very
well may be a security problem hiding behind this.

Cheers,
-- 
James Brown
Systems Engineer
Yelp, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20111227/5138a142/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rrdtool_rrdcached_safety.diff
Type: application/octet-stream
Size: 1089 bytes
Desc: not available
Url : http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20111227/5138a142/attachment-0001.obj

More information about the rrd-developers mailing list