From owner-freebsd-audit@FreeBSD.ORG Sun Apr 20 01:15:45 2003 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDF8437B401; Sun, 20 Apr 2003 01:15:45 -0700 (PDT) Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06AC743F75; Sun, 20 Apr 2003 01:15:45 -0700 (PDT) (envelope-from sebastian.ssmoller@web.de) Received: from [213.7.184.1] (helo=Bb801.pppool.de) by smtp.web.de with esmtp (WEB.DE(Exim) 4.97 #53) id 1979zC-0000CC-00; Sun, 20 Apr 2003 10:15:43 +0200 From: Sebastian Ssmoller To: Kris Kennaway In-Reply-To: <20030420032303.GA25568@rot13.obsecurity.org> References: <20030420032303.GA25568@rot13.obsecurity.org> Content-Type: multipart/mixed; boundary="=-XA6NYroOTWFV5e7PSWA6" X-Mailer: Ximian Evolution 1.0.8-3mdk Date: 20 Apr 2003 10:16:23 +0200 Message-Id: <1050826585.2052.12.camel@hadriel> Mime-Version: 1.0 Sender: sebastian.ssmoller@web.de X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: FreeBSD-audit cc: current@FreeBSD.org Subject: Re: Buffer overflow in disklabel X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 08:15:46 -0000 --=-XA6NYroOTWFV5e7PSWA6 Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, I attached a patch for that problem. Can someone have a look at it? But one thing is still unclear to me: Why do we need 8k buffer for the disk name? seb Am Son, 2003-04-20 um 05.23 schrieb Kris Kennaway: > Run the following under /bin/sh (not tcsh, which - still! - has a bug > that causes the command to hang tcsh): > > # disklabel `perl -e 'print "a"x51200'` > Segmentation fault (core dumped) > > The responsible code is: > > dkname = argv[0]; > if (dkname[0] != '/') { > (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART); > specname = np; > np += strlen(specname) + 1; > } else > specname = dkname; > f = open(specname, op == READ ? O_RDONLY : O_RDWR); > if (f < 0 && errno == ENOENT && dkname[0] != '/') { > (void)sprintf(specname, "%s%s", _PATH_DEV, dkname); > np = namebuf + strlen(specname) + 1; > f = open(specname, op == READ ? O_RDONLY : O_RDWR); > } > > i.e. overflowing an 8k buffer. Does anyone feel like fixing it? > > Kris --=-XA6NYroOTWFV5e7PSWA6-- From owner-freebsd-audit@FreeBSD.ORG Sun Apr 20 01:30:38 2003 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A435A37B404 for ; Sun, 20 Apr 2003 01:30:38 -0700 (PDT) Received: from mail.gmx.net (pop.gmx.net [213.165.65.60]) by mx1.FreeBSD.org (Postfix) with SMTP id 4ECF443FAF for ; Sun, 20 Apr 2003 01:30:37 -0700 (PDT) (envelope-from sebastian.ssmoller@gmx.net) Received: (qmail 12541 invoked by uid 65534); 20 Apr 2003 08:30:35 -0000 Received: from Bb801.pppool.de (EHLO Bb801.pppool.de) (213.7.184.1) by mail.gmx.net (mp006-rz3) with SMTP; 20 Apr 2003 10:30:35 +0200 From: Sebastian Ssmoller To: Kris Kennaway In-Reply-To: <1050826585.2052.12.camel@hadriel> References: <20030420032303.GA25568@rot13.obsecurity.org> <1050826585.2052.12.camel@hadriel> Content-Type: multipart/mixed; boundary="=-H9tP6Q3bHWKXcMQMUxyw" X-Mailer: Ximian Evolution 1.0.8-3mdk Date: 20 Apr 2003 10:31:16 +0200 Message-Id: <1050827478.2737.4.camel@hadriel> Mime-Version: 1.0 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: Freebsd Current cc: FreeBSD-audit Subject: Re: Buffer overflow in disklabel X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 08:30:39 -0000 --=-H9tP6Q3bHWKXcMQMUxyw Content-Type: text/plain Content-Transfer-Encoding: 7bit sorry. seem to have a problem with my email client :-( Hope the attachment is now there... seb Am Son, 2003-04-20 um 10.16 schrieb Sebastian Ssmoller: > Hi, > I attached a patch for that problem. Can someone have a look at it? > > But one thing is still unclear to me: Why do we need 8k buffer for the > disk name? > > seb > > Am Son, 2003-04-20 um 05.23 schrieb Kris Kennaway: > > Run the following under /bin/sh (not tcsh, which - still! - has a bug > > that causes the command to hang tcsh): > > > > # disklabel `perl -e 'print "a"x51200'` > > Segmentation fault (core dumped) > > > > The responsible code is: > > > > dkname = argv[0]; > > if (dkname[0] != '/') { > > (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART); > > specname = np; > > np += strlen(specname) + 1; > > } else > > specname = dkname; > > f = open(specname, op == READ ? O_RDONLY : O_RDWR); > > if (f < 0 && errno == ENOENT && dkname[0] != '/') { > > (void)sprintf(specname, "%s%s", _PATH_DEV, dkname); > > np = namebuf + strlen(specname) + 1; > > f = open(specname, op == READ ? O_RDONLY : O_RDWR); > > } > > > > i.e. overflowing an 8k buffer. Does anyone feel like fixing it? > > > > Kris > > ---- > > _______________________________________________ > freebsd-audit@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-audit > To unsubscribe, send any mail to "freebsd-audit-unsubscribe@freebsd.org" --=-H9tP6Q3bHWKXcMQMUxyw-- From owner-freebsd-audit@FreeBSD.ORG Sun Apr 20 02:38:40 2003 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85A1537B401; Sun, 20 Apr 2003 02:38:40 -0700 (PDT) Received: from alpha.siliconlandmark.com (alpha.siliconlandmark.com [209.69.98.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D50743FCB; Sun, 20 Apr 2003 02:38:39 -0700 (PDT) (envelope-from andy@siliconlandmark.com) Received: from alpha.siliconlandmark.com (localhost [127.0.0.1]) h3K9ccHE052374; Sun, 20 Apr 2003 05:38:38 -0400 (EDT) (envelope-from andy@siliconlandmark.com) Received: from localhost (andy@localhost)h3K9ccaa052371; Sun, 20 Apr 2003 05:38:38 -0400 (EDT) (envelope-from andy@siliconlandmark.com) X-Authentication-Warning: alpha.siliconlandmark.com: andy owned process doing -bs Date: Sun, 20 Apr 2003 05:38:38 -0400 (EDT) From: Andre Guibert de Bruet To: Sebastian Ssmoller In-Reply-To: <1050827478.2737.4.camel@hadriel> Message-ID: <20030420053655.O50356@alpha.siliconlandmark.com> References: <20030420032303.GA25568@rot13.obsecurity.org> <1050826585.2052.12.camel@hadriel> <1050827478.2737.4.camel@hadriel> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Freebsd Current cc: FreeBSD-audit Subject: Re: Buffer overflow in disklabel X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 09:38:40 -0000 On Sun, 20 Apr 2003, Sebastian Ssmoller wrote: > sorry. seem to have a problem with my email client :-( Hope the > attachment is now there... No patch here. How about putting it up on a webserver somewhere? > Andre Guibert de Bruet | Enterprise Software Consultant > > Silicon Landmark, LLC. | http://siliconlandmark.com/ > From owner-freebsd-audit@FreeBSD.ORG Sun Apr 20 10:30:47 2003 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24C7D37B401 for ; Sun, 20 Apr 2003 10:30:46 -0700 (PDT) Received: from mx0.gmx.net (mx0.gmx.de [213.165.64.100]) by mx1.FreeBSD.org (Postfix) with SMTP id 7689343FDF for ; Sun, 20 Apr 2003 10:30:44 -0700 (PDT) (envelope-from sebastian.ssmoller@gmx.net) Received: (qmail 12930 invoked by uid 0); 20 Apr 2003 17:30:43 -0000 Date: Sun, 20 Apr 2003 19:30:42 +0200 (MEST) From: Sebastian Ssmoller To: Andre Guibert de Bruet MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="========GMXBoundary211831050859842" X-Priority: 3 (Normal) X-Authenticated-Sender: #0015005775@gmx.net X-Authenticated-IP: [213.6.14.151] Message-ID: <21183.1050859842@www6.gmx.net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 cc: current@freebsd.org cc: audit@freebsd.org Subject: Re: Buffer overflow in disklabel X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2003 17:30:48 -0000 This is a MIME encapsulated multipart message - please use a MIME-compliant e-mail program to open it. Dies ist eine mehrteilige Nachricht im MIME-Format - bitte verwenden Sie zum Lesen ein MIME-konformes Mailprogramm. --========GMXBoundary211831050859842 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit hmm, I do not understand this. so third try: now I will try sending the patch from the web client of my mail provider. hope that works. if not: is there a special requirement to be able to send attachments to the freebsd lists ? seb > > On Sun, 20 Apr 2003, Sebastian Ssmoller wrote: > > > sorry. seem to have a problem with my email client :-( Hope the > > attachment is now there... > > No patch here. How about putting it up on a webserver somewhere? > > > Andre Guibert de Bruet | Enterprise Software Consultant > > > Silicon Landmark, LLC. | http://siliconlandmark.com/ > > -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! --========GMXBoundary211831050859842 Content-Type: application/octet-stream; name="disklabel.overflow.patch" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="disklabel.overflow.patch" LS0tIGRpc2tsYWJlbC5jLm9yaWcJVHVlIEFwciAxNSAwNzo1Nzo1MyAyMDAzCisrKyBkaXNrbGFi ZWwuYwlUdWUgQXByIDE1IDA4OjQ2OjI2IDIwMDMKQEAgLTI4MywxNCArMjgzLDE2IEBACiAKIAlk a25hbWUgPSBhcmd2WzBdOwogCWlmIChka25hbWVbMF0gIT0gJy8nKSB7Ci0JCSh2b2lkKXNwcmlu dGYobnAsICIlcyVzJWMiLCBfUEFUSF9ERVYsIGRrbmFtZSwgJ2EnICsgUkFXX1BBUlQpOworCQko dm9pZClzbnByaW50ZihucCwgQkJTSVpFLCAiJXMlcyVjIiwgX1BBVEhfREVWLCBka25hbWUsIAor CQkgICAgJ2EnICsgUkFXX1BBUlQpOwogCQlzcGVjbmFtZSA9IG5wOwogCQlucCArPSBzdHJsZW4o c3BlY25hbWUpICsgMTsKIAl9IGVsc2UKIAkJc3BlY25hbWUgPSBka25hbWU7CisKIAlmID0gb3Bl bihzcGVjbmFtZSwgb3AgPT0gUkVBRCA/IE9fUkRPTkxZIDogT19SRFdSKTsKIAlpZiAoZiA8IDAg JiYgZXJybm8gPT0gRU5PRU5UICYmIGRrbmFtZVswXSAhPSAnLycpIHsKLQkJKHZvaWQpc3ByaW50 ZihzcGVjbmFtZSwgIiVzJXMiLCBfUEFUSF9ERVYsIGRrbmFtZSk7CisJCSh2b2lkKXNucHJpbnRm KHNwZWNuYW1lLCBCQlNJWkUsICIlcyVzIiwgX1BBVEhfREVWLCBka25hbWUpOwogCQlucCA9IG5h bWVidWYgKyBzdHJsZW4oc3BlY25hbWUpICsgMTsKIAkJZiA9IG9wZW4oc3BlY25hbWUsIG9wID09 IFJFQUQgPyBPX1JET05MWSA6IE9fUkRXUik7CiAJfQo= --========GMXBoundary211831050859842-- From owner-freebsd-audit@FreeBSD.ORG Tue Apr 22 10:35:42 2003 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C58B37B401 for ; Tue, 22 Apr 2003 10:35:42 -0700 (PDT) Received: from numeri.campus.luth.se (numeri.campus.luth.se [130.240.197.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F81B43FDD for ; Tue, 22 Apr 2003 10:35:41 -0700 (PDT) (envelope-from k@numeri.campus.luth.se) Received: from numeri.campus.luth.se (localhost [127.0.0.1]) by numeri.campus.luth.se (8.12.9/8.12.9) with ESMTP id h3MHZdEm065216; Tue, 22 Apr 2003 19:35:39 +0200 (CEST) (envelope-from k@numeri.campus.luth.se) Received: (from k@localhost) by numeri.campus.luth.se (8.12.9/8.12.9/Submit) id h3MHZddg065211; Tue, 22 Apr 2003 19:35:39 +0200 (CEST) Date: Tue, 22 Apr 2003 19:35:38 +0200 From: Johan Karlsson To: Sebastian Ssmoller Message-ID: <20030422173538.GA81516@numeri.campus.luth.se> References: <20030413133425.GC11752@numeri.campus.luth.se> <1050508090.1952.23.camel@hadriel> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1050508090.1952.23.camel@hadriel> User-Agent: Mutt/1.4i cc: FreeBSD-audit Subject: Re: makeing sbin/kld* WARNS=5 clean and some style(9) cleanup X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 17:35:42 -0000 On Wed, Apr 16, 2003 at 17:48 (+0200) +0000, Sebastian Ssmoller wrote: > Hi, > I applied the first patch. Looks good, but kldstat.c seem to be warns=5 > clean anyway, doesn't it? No not on all platforms such as ia64/alpha ... /Johan K -- Johan Karlsson mailto:k@numeri.campus.luth.se