Date: Wed, 21 Jun 2000 22:30:23 +0200 (CEST) From: marcolz@stack.nl To: FreeBSD-gnats-submit@freebsd.org Subject: bin/19422: buffer overflow in ps Message-ID: <20000621203023.F0882972A@toad.stack.nl>
next in thread | raw e-mail | index | archive | help
>Number: 19422
>Category: bin
>Synopsis: users can overflow argv to make ps segfault
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 21 13:40:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Marc Olzheim
>Release: FreeBSD 3.4-RELEASE i386
>Organization:
M.C.G.V. Stack
>Environment:
Doesn't matter.
>Description:
When a user reset his argv[0] within a program to a string, with a size larger
than sysconf(_SC_ARG_MAX), ps does not prevent it from overflowing an internal
buffer with strvis.
>How-To-Repeat:
A program that does argv[0] = blah; , where blah is a string, longer than
sysconf(_SC_ARG_MAX), and keeps waiting. Then just run 'ps wwwaxuU <user>'
and chances are ps segfaults.
>Fix:
--- /usr/src/bin/ps/fmt.c Sat Aug 28 01:14:51 1999
+++ /usr/src/bin/ps/fmt.c Wed Jun 21 22:19:22 2000
@@ -80,7 +80,7 @@
for (p = argv; (src = *p++) != 0; ) {
if (*src == 0)
continue;
- strvis(dst, src, VIS_NL | VIS_CSTYLE);
+ strvisx(dst, src, arg_max - strlen(buf) - 1, VIS_NL | VIS_CSTYLE);
while (*dst)
dst++;
*dst++ = ' ';
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000621203023.F0882972A>