From owner-freebsd-audit  Tue Nov 30 15:22:14 1999
Delivered-To: freebsd-audit@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP id 8024B14E5F
	for <freebsd-audit@FreeBSD.ORG>; Tue, 30 Nov 1999 15:22:10 -0800 (PST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id QAA10844;
	Tue, 30 Nov 1999 16:22:09 -0700 (MST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id QAA05983; Tue, 30 Nov 1999 16:22:48 -0700 (MST)
Message-Id: <199911302322.QAA05983@harmony.village.org>
To: tstromberg@rtci.com
Subject: Re: Where to start? Heres a few overflows. 
Cc: freebsd-audit@FreeBSD.ORG
In-reply-to: Your message of "Tue, 30 Nov 1999 18:14:50 EST."
		<38445A6A.50245AF5@rtci.com> 
References: <38445A6A.50245AF5@rtci.com>  
Date: Tue, 30 Nov 1999 16:22:48 -0700
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In message <38445A6A.50245AF5@rtci.com> Thomas Stromberg writes:
: *dump	   overflow when giving it a partition to dump
: 	   ex: dump -0 [A*1024]	(msg?)
: *rdump	   overflow when giving it a partition to dump
: 	   ex: rdump -0 [A*1024]

These are fixed in -current.  I've not backported to stable, but should.

: !doscmd    overflow in any argument.
:            ex: doscmd [A*4000]

Tip of the iceburg.  That's why it isn't set*id anymore.

: ?banner    arg overflow. discussed in -CURRENT.
:            ex: banner [A*8192]

I have a patch in my tree for this.  Just need to send commentary on
it out.

: ?systat    possible race condition in systat -n (and other gui
:            modes). Happens when program is terminated sometimes.
:            (could be libcurses?). Test script sent to security-officer.
: 
:            Trace as follows:
: 
: #0  0x280714c5 in wmove () from /usr/lib/libcurses.so.2
: #1  0x804b916 in free ()
: #2  0xbfbfdfdc in ?? ()
: #3  0x2807bc4c in tgetflag () from /usr/lib/libtermcap.so.2
: #4  0x2807130b in setterm () from /usr/lib/libcurses.so.2
: #5  0x28071159 in setterm () from /usr/lib/libcurses.so.2
: #6  0x28070759 in initscr () from /usr/lib/libcurses.so.2
: #7  0x804b529 in free ()
: #8  0x80499fd in free ()

If these are really to be believed, and you are recursively entering
free, then I can't help you with this at all.  malloc isn't
reentrant.  However, the traceback looks funny now that I take a
closer look at it.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message