[rrd-developers] segfaulting bug in rrdtool/rrdcached
Tobias Oetiker
tobi at oetiker.ch
Fri Jan 13 09:45:58 CET 2012
Hi James,
Yesterday James Brown wrote:
> Ping?
got it ... just not got around to investigate yet ...
cheers
tobi
>
> On Tue, Dec 27, 2011 at 5:40 PM, James Brown <jbrown at yelp.com> wrote:
>
> > There's a bug in the current HEAD of rrdtool (and I suppose going back to
> > mid-2007, from the svn blame output) which causes it to segfault if you
> > point it at an rrdcached socket which isn't writable. I've attached a patch
> > against trunk, and reproduction steps are below:
> >
> > cd ~
> > mkdir rrds/
> > rrdtool create rrds/test.rrd DS:data:GAUGE:360:U:U RRA:MAX:0.5:1:120 -s 1
> > rrdtool update rrds/test.rrd N:0
> > rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s)
> > DEF:ds0=$HOME/rrds/test.rrd:data:MAX XPORT:ds0 *(this one should work)
> > *
> > rrdtool xport --start $(( $(date +%s) - 120)) --end $(date +%s) --daemon
> > $HOME/this_path_does_not_exist.sock DEF:ds0=$HOME/rrds/test.rrd:data:MAX
> > XPORT:ds0 *(this one should segfault)*
> >
> > rrdtool is assuming that rrd_xport will always return -1 on failure;
> > however, rrd_xport returns errno (which is, generally, not -1) if
> > rrd_client fails. I figured it was easier to change rrdtool than to change
> > everything in rrd_client. For good measure, I also changed the checks on
> > the calls to rrd_fetch and rrd_graph. I'm not sure if they're susceptible
> > to the same problem, but, well, better to check for the one thing you do
> > what you want than to enumerate all the possible things you don't want.
> >
> > This segfault is caused by an uninitialized variable use (in particular,
> > legend_v and col_cnt end up being used and passed to printf uninitialized).
> > Nothing offhand jumped out at me as easily-exploitable to do code
> > injection, but I only spent five or so minutes looking at it, so there very
> > well may be a security problem hiding behind this.
> >
> > Cheers,
> > --
> > James Brown
> > Systems Engineer
> > Yelp, Inc.
> >
> >
>
>
>
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the rrd-developers
mailing list