[rrd-developers] segfaulting bug in rrdtool/rrdcached

James Brown jbrown at yelp.com
Fri Jan 13 08:39:10 CET 2012


On Tue, Dec 27, 2011 at 5:40 PM, James Brown <jbrown at yelp.com> wrote:

> There's a bug in the current HEAD of rrdtool (and I suppose going back to
> mid-2007, from the svn blame output) which causes it to segfault if you
> point it at an rrdcached socket which isn't writable. I've attached a patch
> against trunk, and reproduction steps are below:
> cd ~
> mkdir rrds/
> rrdtool create rrds/test.rrd DS:data:GAUGE:360:U:U RRA:MAX:0.5:1:120 -s 1
> rrdtool update rrds/test.rrd N:0
> rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s)
> DEF:ds0=$HOME/rrds/test.rrd:data:MAX XPORT:ds0     *(this one should work)
> *
> rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s) --daemon
> $HOME/this_path_does_not_exist.sock DEF:ds0=$HOME/rrds/test.rrd:data:MAX
> XPORT:ds0    *(this one should segfault)*
> rrdtool is assuming that rrd_xport will always return -1 on failure;
> however, rrd_xport returns errno (which is, generally, not -1) if
> rrd_client fails. I figured it was easier to change rrdtool than to change
> everything in rrd_client. For good measure, I also changed the checks on
> the calls to rrd_fetch and rrd_graph. I'm not sure if they're susceptible
> to the same problem, but, well, better to check for the one thing you do
> what you want than to enumerate all the possible things you don't want.
> This segfault is caused by an uninitialized variable use (in particular,
> legend_v and col_cnt end up being used and passed to printf uninitialized).
> Nothing offhand jumped out at me as easily-exploitable to do code
> injection, but I only spent five or so minutes looking at it, so there very
> well may be a security problem hiding behind this.
> Cheers,
> --
> James Brown
> Systems Engineer
> Yelp, Inc.

James Brown
Systems Engineer
Yelp, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.oetiker.ch/pipermail/rrd-developers/attachments/20120112/6be7e71f/attachment.htm 

More information about the rrd-developers mailing list