From owner-freebsd-bugs Wed Jun 21 13:40: 5 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 9446B37B776 for ; Wed, 21 Jun 2000 13:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id NAA71930; Wed, 21 Jun 2000 13:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from mailhost.stack.nl (vaak.stack.nl [131.155.140.140]) by hub.freebsd.org (Postfix) with ESMTP id 3C40837B65D for ; Wed, 21 Jun 2000 13:30:49 -0700 (PDT) (envelope-from marcolz@stack.nl) Received: from toad.stack.nl (toad.stack.nl [131.155.140.135]) by mailhost.stack.nl (Postfix) with ESMTP id 74A63156BC for ; Wed, 21 Jun 2000 22:30:24 +0200 (CEST) Received: by toad.stack.nl (Postfix, from userid 333) id F0882972A; Wed, 21 Jun 2000 22:30:23 +0200 (CEST) Message-Id: <20000621203023.F0882972A@toad.stack.nl> Date: Wed, 21 Jun 2000 22:30:23 +0200 (CEST) From: marcolz@stack.nl Reply-To: marcolz@stack.nl To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/19422: buffer overflow in ps Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19422 >Category: bin >Synopsis: users can overflow argv to make ps segfault >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jun 21 13:40:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Marc Olzheim >Release: FreeBSD 3.4-RELEASE i386 >Organization: M.C.G.V. Stack >Environment: Doesn't matter. >Description: When a user reset his argv[0] within a program to a string, with a size larger than sysconf(_SC_ARG_MAX), ps does not prevent it from overflowing an internal buffer with strvis. >How-To-Repeat: A program that does argv[0] = blah; , where blah is a string, longer than sysconf(_SC_ARG_MAX), and keeps waiting. Then just run 'ps wwwaxuU ' and chances are ps segfaults. >Fix: --- /usr/src/bin/ps/fmt.c Sat Aug 28 01:14:51 1999 +++ /usr/src/bin/ps/fmt.c Wed Jun 21 22:19:22 2000 @@ -80,7 +80,7 @@ for (p = argv; (src = *p++) != 0; ) { if (*src == 0) continue; - strvis(dst, src, VIS_NL | VIS_CSTYLE); + strvisx(dst, src, arg_max - strlen(buf) - 1, VIS_NL | VIS_CSTYLE); while (*dst) dst++; *dst++ = ' '; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message