From owner-freebsd-current Tue Nov 23 17:40:58 1999 Delivered-To: freebsd-current@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 9652515020 for ; Tue, 23 Nov 1999 17:40:40 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40336>; Wed, 24 Nov 1999 12:33:43 +1100 Content-return: prohibited Date: Wed, 24 Nov 1999 12:40:33 +1100 From: Peter Jeremy Subject: Re: FreeBSD security auditing project. In-reply-to: <3778.943405379@localhost> To: "Jordan K. Hubbard" Cc: current@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov24.123343est.40336@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <19991123142626.D49964@dragon.nuxi.com> <3778.943405379@localhost> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 1999-Nov-24 12:02:59 +1100, Jordan K. Hubbard wrote: > I don't see any reason, for >example, why anyone should still be using gets() To take gets() as an example, of the 110 occurrences that gid found in -current, the following files contain actual calls to gets() (rather than declarations, comments, defines etc): contrib/binutils/gas/hash.c - only if compiled -DTEST contrib/cvs/lib/getdate.y - only if compiled -DTEST contrib/gperf/tests/test.c - part of gperf test suite contrib/libreadline/tilde.c - only if compiled -DTEST contrib/texinfo/info/tilde.c - only if compiled -DTEST gnu/lib/libregex/test/fileregex.c - part of libregex test suite gnu/lib/libregex/test/iregex.c - part of libregex test suite gnu/usr.bin/as/config/tc-m68k.c - only if compiled -DTEST1 gnu/usr.bin/as/config/tc-vax.c - only if compiled -Dtest or -DTEST gnu/usr.bin/tar/getdate.y - only if compiled -DTEST sys/boot/pc98/boot2/boot.c - asking for boot device sys/i386/boot/biosboot/boot.c - asking for boot device sys/i386/boot/cdboot/boot.c - asking for boot device sys/kern/vfs_conf.c - prompting user for root filesystem sys/pc98/boot/biosboot/boot.c - asking for boot device So the only live code that contains gets() is in the boot loader (where space is a serious problem) and when reading a user-specified root filesystem name in the kernel. In either case, it's not clear that exploiting the resultant buffer overflow would allow someone to gain additional privileges (beyond those they already have as a result of being able to type input into gets()). I would prefer to see the gets() in vfs_conf.c go away - the actual gets() definition is right below the (sole) call to gets() and could easily be changed to bounds check its input. The boot code is less obvious. Adding input bounds checking could make the difference to the code fitting or not fitting. This is probably an area where compliance to Standard C Library interfaces is less important than code size. > and our implementation even gets whiney about it if you do. I like this and have previously suggested that it could probably be usefully extended to other functions. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message