From owner-freebsd-security@FreeBSD.ORG Fri Mar 12 08:07:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4CEC116A4CE; Fri, 12 Mar 2004 08:07:10 -0800 (PST) Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id D6E0943D39; Fri, 12 Mar 2004 08:07:09 -0800 (PST) (envelope-from trhodes@FreeBSD.org) Received: from localhost (acs-24-154-235-164.zoominternet.net [24.154.235.164]) (authenticated bits=0) by pittgoth.com (8.12.11/8.12.11) with ESMTP id i2CG7828052795 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 12 Mar 2004 11:07:08 -0500 (EST) (envelope-from trhodes@FreeBSD.org) Date: Fri, 12 Mar 2004 11:07:25 -0500 From: Tom Rhodes To: Ruslan Ermilov Message-Id: <20040312110725.698ebe20@localhost> In-Reply-To: <20040312154600.GC2235@ip.net.ua> References: <200403120922.i2C9M0jC002510@stud326.idi.ntnu.no> <20040312104914.GA52099@ip.net.ua> <20040312105730.GA99925@stud326.idi.ntnu.no> <20040312110657.GB52099@ip.net.ua> <20040312111526.GA14260@stack.nl> <20040312125820.GA8574@lum.celabo.org> <20040312154600.GC2235@ip.net.ua> X-Mailer: Sylpheed version 0.9.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 15 Mar 2004 04:15:25 -0800 cc: "Jacques A. Vidrine" cc: security@FreeBSD.org Subject: Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 16:07:10 -0000 On Fri, 12 Mar 2004 17:46:00 +0200 Ruslan Ermilov wrote: > On Fri, Mar 12, 2004 at 06:58:20AM -0600, Jacques A. Vidrine wrote: > > On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote: > > > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote: > > > > And the fact that optind is initially set to 1. I wonder what > > > > could be the implications for setuid programs. There could be > > > > quite unpredictable results, as the "argv" pointer is incorrectly > > > > advanced in this case, and at least several setuid programs that > > > > I've glanced at are vulnerable to this attack. > > > > > > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738 > > > > Thanks Ruslan, Marc, > > > > I think kern/33738 is on the money. I do not see any immediate > > ramifications, but for peace of mind I believe that exec should fail if > > the argument array pointer is NULL. > > > > I believe this would be consistent with the relevant standards: POSIX > > already requires (a) that the first argument ``should point to a > > filename that is associated with the process being started'' and (b) > > ``the last member of this array is a null pointer''--- i.e. the array > > pointer cannot be NULL. > > > As Garrett already pointed out in the PR log, have you considered this? > > http://www.opengroup.org/onlinepubs/007904975/functions/execve.html#tag_03_130_08 > > I'm happy with changing our behavior to Strictly Conforming for the > goods of security, and you? Will it 'break' anything? -- Tom Rhodes