From owner-freebsd-audit  Wed Dec  1  5:51: 6 1999
Delivered-To: freebsd-audit@freebsd.org
Received: from barracuda.aquarium.rtci.com (barracuda.aquarium.rtci.com [208.11.247.5])
	by hub.freebsd.org (Postfix) with ESMTP id CB54B14D0F
	for <freebsd-audit@freebsd.org>; Wed,  1 Dec 1999 05:51:03 -0800 (PST)
	(envelope-from tstromberg@rtci.com)
Received: from rtci.com (karma.afterthought.org [208.11.244.6])
	by barracuda.aquarium.rtci.com (8.9.3+Sun/8.9.3) with ESMTP id IAA17566;
	Wed, 1 Dec 1999 08:51:04 -0500 (EST)
Message-ID: <384527B9.3A3E3C41@rtci.com>
Date: Wed, 01 Dec 1999 08:50:49 -0500
From: Thomas Stromberg <tstromberg@rtci.com>
Reply-To: tstromberg@rtci.com
Organization: Research Triangle Commerce, Inc.
X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-CURRENT i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Warner Losh <imp@village.org>, freebsd-audit@freebsd.org
Subject: Re: Where to start? Heres a few overflows.
References: <38445A6A.50245AF5@rtci.com> <199911302322.QAA05983@harmony.village.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> : *rdump           overflow when giving it a partition to dump
> :          ex: rdump -0 [A*1024]
> 
> These are fixed in -current.  I've not backported to stable, but should.

Seeing as it's suid, It should probably be expidited. I myself took the
suid bit off of it on my -STABLE boxes (I usually do, since I make no
use of dump as non-root). 

> : !doscmd    overflow in any argument.
> :            ex: doscmd [A*4000]
> 
> Tip of the iceburg.  That's why it isn't set*id anymore.

I figured as much. I seem to remember a while back that it was at least
sgid kmem, and thought I found another good one. I was happily suprised
to see the bit had been taken off however. The less set*id there is the
happier I am. 

> : #0  0x280714c5 in wmove () from /usr/lib/libcurses.so.2
> : #1  0x804b916 in free ()
> : #2  0xbfbfdfdc in ?? ()
> : #3  0x2807bc4c in tgetflag () from /usr/lib/libtermcap.so.2
> : #4  0x2807130b in setterm () from /usr/lib/libcurses.so.2
> : #5  0x28071159 in setterm () from /usr/lib/libcurses.so.2
> : #6  0x28070759 in initscr () from /usr/lib/libcurses.so.2
> : #7  0x804b529 in free ()
> : #8  0x80499fd in free ()
> 
> If these are really to be believed, and you are recursively entering
> free, then I can't help you with this at all.  malloc isn't
> reentrant.  However, the traceback looks funny now that I take a
> closer look at it.

Did you have any luck re-creating it with the script I sent you?
Interested to see if this becomes a systat or a curses thing..

-- 
======================================================================
thomas r. stromberg                     smtp://tstromberg@rtci.com
assistant is manager / systems guru     http://thomas.stromberg.org
research triangle commerce, inc.        finger://thomas@stromberg.org
'om mani pedme hung'                    pots://1.919.380.9771:3210
================================================================[eof]=


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message