Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 Dec 1999 08:50:49 -0500
From:      Thomas Stromberg <tstromberg@rtci.com>
To:        Warner Losh <imp@village.org>, freebsd-audit@freebsd.org
Subject:   Re: Where to start? Heres a few overflows.
Message-ID:  <384527B9.3A3E3C41@rtci.com>
References:  <38445A6A.50245AF5@rtci.com> <199911302322.QAA05983@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
> : *rdump           overflow when giving it a partition to dump
> :          ex: rdump -0 [A*1024]
> 
> These are fixed in -current.  I've not backported to stable, but should.

Seeing as it's suid, It should probably be expidited. I myself took the
suid bit off of it on my -STABLE boxes (I usually do, since I make no
use of dump as non-root). 

> : !doscmd    overflow in any argument.
> :            ex: doscmd [A*4000]
> 
> Tip of the iceburg.  That's why it isn't set*id anymore.

I figured as much. I seem to remember a while back that it was at least
sgid kmem, and thought I found another good one. I was happily suprised
to see the bit had been taken off however. The less set*id there is the
happier I am. 

> : #0  0x280714c5 in wmove () from /usr/lib/libcurses.so.2
> : #1  0x804b916 in free ()
> : #2  0xbfbfdfdc in ?? ()
> : #3  0x2807bc4c in tgetflag () from /usr/lib/libtermcap.so.2
> : #4  0x2807130b in setterm () from /usr/lib/libcurses.so.2
> : #5  0x28071159 in setterm () from /usr/lib/libcurses.so.2
> : #6  0x28070759 in initscr () from /usr/lib/libcurses.so.2
> : #7  0x804b529 in free ()
> : #8  0x80499fd in free ()
> 
> If these are really to be believed, and you are recursively entering
> free, then I can't help you with this at all.  malloc isn't
> reentrant.  However, the traceback looks funny now that I take a
> closer look at it.

Did you have any luck re-creating it with the script I sent you?
Interested to see if this becomes a systat or a curses thing..

-- 
======================================================================
thomas r. stromberg                     smtp://tstromberg@rtci.com
assistant is manager / systems guru     http://thomas.stromberg.org
research triangle commerce, inc.        finger://thomas@stromberg.org
'om mani pedme hung'                    pots://1.919.380.9771:3210
================================================================[eof]=


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?384527B9.3A3E3C41>