From owner-freebsd-security Sun Feb 11 4:52:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from nevada.btk.za.net (nevada.btk.za.net [213.77.120.30]) by hub.freebsd.org (Postfix) with SMTP id 67D3237B491 for ; Sun, 11 Feb 2001 04:52:06 -0800 (PST) Received: from a5o7e2 (pa76.kielce.ppp.tpnet.pl [212.160.33.76]) by nevada.btk.za.net (8.11.1/8.11.1) with SMTP id f1BDp6086335 for ; Sun, 11 Feb 2001 13:51:09 GMT (envelope-from freebsd@btk.za.net) Message-ID: <004e01c0942a$3fece180$de21a0d4@a5o7e2> From: "Lukasz P" To: "Security" Subject: timedc & SIGSEGV Date: Sun, 11 Feb 2001 13:56:31 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, maybe somebody has discovered this "bug" earlier than me, but I don't know about it so... I found a strange behaviour in timedc, exactly in trace option. If hostname self-lookup fail ( i set my hostname to asdf.pl ) command "timedc trace anything" will terminate with signal 11 (SIGSEGV). arizona# uname -a FreeBSD arizona.kielce.wox.org 4.2-RELEASE FreeBSD 4.2-RELEASE #4: Wed Jan 31 20:12:44 GMT 2001 root@arizona.kielce.wox.org:/usr/src/sys/compile/optimal i386 arizona# id uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) arizona# ls -l /usr/sbin/timedc -r-sr-xr-x 1 root wheel 15144 Feb 3 15:37 /usr/sbin/timedc arizona# timedc trace on communication error arizona# hostname asdf.pl arizona# timedc trace on pid 212 (timedc), uid 0: exited on signal 11 (core dumped) Segmentation fault (core dumped) asdf.pl is "invalid" hostname, so there is a SIGSEGV. This "silly bug" is non-exploitable because, "trace { on | off }" is a privileged command, which can be used only by superuser. I have written a very simple patch, which can be used to prevent this "mistake". ---[SNIP]--- --- cmds.c.backup Tue Feb 7 21:23:40 2001 +++ cmds.c Tue Feb 7 21:28:09 2001 @@ -431,6 +431,24 @@ return; } + /* Tue Feb 7 21:24:41 GMT 2001 + This simple code is going to disable a segmentation fault + in trace "procedure", when lookup for hostname fail. + In old code this situation was finished by signal 11 + (Segmentation fault). This bug probably is non-exploitable, + but every error situation should be fixed so... + If there is a mistake in fix please let me know. + e-mail: Lukasz.Pawlik@kielce.wox.org + Lukasz Pawlik + */ + gethostname(myname,MAXHOSTNAMELEN); + hp = gethostbyname(myname); + if (hp == NULL) { + printf("Hostname lookup for %s failed.\n",myname); + printf("Exiting before ""Segmentation fault"".\n"); + exit(1); + } + srvp = getservbyname("timed", "udp"); if (srvp == 0) { warnx("udp/timed: unknown service"); ---[SNIP]--- Sorry for my poor english ;> Lukasz Pawlik e-mail: Lukasz.Pawlik@kielce.wox.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message