Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 11 Feb 2001 13:56:31 +0100
From:      "Lukasz P" <freebsd@btk.za.net>
To:        "Security" <security@freebsd.org>
Subject:   timedc & SIGSEGV
Message-ID:  <004e01c0942a$3fece180$de21a0d4@a5o7e2>
next in thread | raw e-mail | index | archive | help 
Hello,
maybe somebody has discovered this "bug" earlier than me, but I don't know
about it so...
I found a strange behaviour in timedc, exactly in trace option. If hostname
self-lookup
fail ( i set my hostname to asdf.pl <all hostnames which have no record in
dns
or /etc/hosts>) command "timedc trace anything" will terminate with signal
11 (SIGSEGV).
arizona# uname -a
FreeBSD arizona.kielce.wox.org 4.2-RELEASE FreeBSD 4.2-RELEASE #4: Wed Jan
31 20:12:44 GMT 2001
root@arizona.kielce.wox.org:/usr/src/sys/compile/optimal  i386
arizona# id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator), 20(staff), 31(guest)
arizona# ls -l /usr/sbin/timedc
-r-sr-xr-x  1 root  wheel  15144 Feb  3 15:37 /usr/sbin/timedc
arizona# timedc trace on
communication error
arizona# hostname asdf.pl
arizona# timedc trace on
pid 212 (timedc), uid 0: exited on signal 11 (core dumped)
Segmentation fault (core dumped)

asdf.pl is "invalid" hostname, so there is a SIGSEGV.
This "silly bug" is non-exploitable because, "trace { on | off }" is a
privileged
command, which can be used only by superuser.
I have written a very simple patch, which can be used to prevent this
"mistake".


---[SNIP]---
--- cmds.c.backup Tue Feb  7 21:23:40 2001
+++ cmds.c Tue Feb  7 21:28:09 2001
@@ -431,6 +431,24 @@
   return;
  }

+ /* Tue Feb  7 21:24:41 GMT 2001
+ This simple code is going to disable a segmentation fault
+ in trace "procedure", when lookup for hostname fail.
+ In old code this situation was finished by signal 11
+ (Segmentation fault). This bug probably is non-exploitable,
+ but every error situation should be fixed so...
+ If there is a mistake in fix please let me know.
+ e-mail: Lukasz.Pawlik@kielce.wox.org
+     Lukasz Pawlik
+ */
+ gethostname(myname,MAXHOSTNAMELEN);
+ hp = gethostbyname(myname);
+ if (hp == NULL) {
+  printf("Hostname lookup for %s failed.\n",myname);
+  printf("Exiting before ""Segmentation fault"".\n");
+  exit(1);
+  }
+
  srvp = getservbyname("timed", "udp");
  if (srvp == 0) {
   warnx("udp/timed: unknown service");

---[SNIP]---

Sorry for my poor english ;>

Lukasz Pawlik
e-mail: Lukasz.Pawlik@kielce.wox.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004e01c0942a$3fece180$de21a0d4>