Date: Wed, 12 Dec 2001 10:36:03 -0500 (EST) From: Mike Heffner <mheffner@vt.edu> To: Peter Pentchev <roam@ringlet.net> Cc: FreeBSD-bugs <freebsd-bugs@freebsd.org>, Marc Olzheim <marcolz@ilse.nl>, freebsd-gnats-submit@freebsd.org Subject: Re: bin/19422: users can overflow argv to make ps segfault Message-ID: <XFMail.20011212103603.mheffner@vt.edu> In-Reply-To: <20011212115039.B934@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format --_=XFMail.1.5.2.FreeBSD:20011212103603:24503=_ Content-Type: text/plain; charset=us-ascii On 12-Dec-2001 Peter Pentchev wrote: | On Tue, Dec 11, 2001 at 11:18:54PM -0500, Mike Heffner wrote: |> |> Well, I've looked at this a little more. I was able to reproduce it (it |> took a few times though). Unfortunately, the patch isn't as simple as |> the |> one in the PR. Could you please try the attached patch? There is still |> a |> problem though, and that is that the strlen()s can seg. fault if the |> argv[] strings aren't NULL terminated - I don't know how to fix this |> problem though :( | | If argv[] is the program arguments' array, as passed to main(), then | you should not worry about it - its elements are supposed to be proper | C strings, i.e. terminated by a '\0' character, and I still have to see | a platform where they are not :) But when a user modifies those arguments by explicilty setting argv[0], or whatever, is where the problem is: test5.c: #include <stdio.h> #include <sys/exec.h> #include <sys/param.h> #include <sys/sysctl.h> #include <sys/types.h> #include <unistd.h> int main(int argc, char *argv[]) { int oid[4]; char before[] = "BBBBBBB"; char after[5]; memset(after, 'A', sizeof(after)); argv[0] = after; oid[0] = CTL_KERN; oid[1] = KERN_PROC; oid[2] = KERN_PROC_ARGS; oid[3] = getpid(); sysctl(oid, 4, 0, 0, after, 65537); sleep(600); return(0); } $ ./test5 on another terminal: $ ps auxwww ... spock 290 0.0 0.3 980 109 p0 S+ 10:30AM 0:00.01 \ AAAAA\M-{\M-?\M-?BBBBBBB (test5) ^^^^^^^^^^^^^^^^^^^ Mike -- Mike Heffner <mheffner@[acm.]vt.edu> Blacksburg, VA <mikeh@FreeBSD.org> --_=XFMail.1.5.2.FreeBSD:20011212103603:24503=_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8F3liFokZQs3sv5kRAiVSAKCTfdqsGylIHlKsVUh+p5mcmRX/rACeOrCC aOsuNDWHNxu0Z6XjBrRHc/4= =RGXk -----END PGP SIGNATURE----- --_=XFMail.1.5.2.FreeBSD:20011212103603:24503=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20011212103603.mheffner>