[lug] ACROBAT and LIBSAFE

D. Stimits stimits at idcomm.com
Fri Sep 22 15:55:41 MDT 2000


JEFF PFOHL wrote:
> 
> OK I figured out why I was getting segmentation faults but don't
> really have a full handle on the details. Maybe someone else more
> familiar with buffer overflows can educate me.
> 
> I looked at the two programs I've installed since I last knew Acrobat
> to work. Libsafe and portsentry.
> 
> I turned OFF libsafe thinking that MAYBE Acrobat was writing past the
> end of some buffer. Acrobat worked!!
> 
> OK this SHOULD have shown up, according to the libsafe man page, in
> /var/log/secure
> 
> However I read and grepped through them for acrobat and dind't find
> anything. I also checked the times and didn't find an entry when
> acrobat crashed (i ran it one time today with the segmentation fault
> and there were no entries for today)
> 
> Now to determine if there is a way to tell Libsafe to NOT monitor
> Acrobat.
> 
> For now Libsafe will remain OFF.
> 
> Thanks to everyone who emailed offering help and advice.
> 

This is where you probably must use strace to find out where it fails.
It'll give you a trace of system calls; at some point, one of them will
fail and get logged. The log files are sort of like C syntax, not
entirely. They get huge. Probably you will find what you need in the
last hundred lines or so, and can ignore the top. If the command would
normally be "acroread", then this would get you a log (do as the user
that fails):
strace -oAcroLog.txt acroread

It'll be especially nice if it segfaults in there, it makes it rather
obvious which call it fails at. Most likely nm on the libsafe lib file
will show a symbol similar to that, assuming it is at fault. But there
is a possibility that some of lib that libsafe itself calls is where it
dies. One question is whether you had a prebuilt binary of libsafe
(don't know if you can even get that), or whether you compiled it
yourself? And is it being installed via shell environment variables, or
/etc/ld.so.preload? (be careful with that)

The fact remains that two other users, root, and one generic user you
created for testing, can use it. With any luck, strace will either show
permission denied, or something else.

D. Stimits, stimits at idcomm.com




More information about the LUG mailing list