Date: 2 May 1999 20:32:58 -0000 From: venglin@lagoon.freebsd.org.pl To: FreeBSD-gnats-submit@freebsd.org Subject: i386/11454: mkdir() and chdir() doesn't check argument length Message-ID: <19990502203258.4113.qmail@lagoon.freebsd.org.pl>
next in thread | raw e-mail | index | archive | help
>Number: 11454
>Category: i386
>Synopsis: mkdir() and chdir() doesn't check argument length
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 2 13:40:01 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 3.1-STABLE i386
>Organization:
Unia Lubelska High School, Lublin, Poland
>Environment:
FreeBSD lagoon.freebsd.org.pl 3.1-STABLE FreeBSD 3.1-STABLE #0: Sun Apr 11 17:11:46 CEST 1999 venglin@lagoon.freebsd.org.pl:/usr/src/sys/compile/LAGOON i386
and my home machine:
FreeBSD venglin.gadaczka.org 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Mon Apr 19 22:11:21 CEST 1999 venglin@venglin.gadaczka.org:/usr/src/sys/compile/GADACZKA i386
>Description:
Chdir() and mkdir() doesn't check argument length, so it's possible
to create an extremly deep directory structure, on which most system
commands won't work.
Example:
lagoon:venglin:/tmp/jc> rm -r example
rm: ex19/e name too long
rm: ex19/rectory not empty
rm: ex19/irectory not empty
rm: ex19/Directory not empty
rm: ex19: Directory not empty
lagoon:venglin:/tmp/jc> ls -lR example > /dev/null
ls: No such file or directory
ls: No such file or directory
Probably there is possible to compromise security of /etc/periodic
shell scripts (they use /usr/bin/find):
lagoon:venglin:/tmp/jc> find example > /dev/null
Segmentation fault (core dumped)
>How-To-Repeat:
Create big directory structure (try with different directory names):
#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>
#define DUMP 0x41
main(int argc, char *argv[]) {
char buf[255];
int i = 0;
if (argc < 3) { fprintf(stderr, "usage: %s <dir> <depth>\n", argv[0]); exit(1); }
if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); }
memset(buf, DUMP, 255);
for(i=0;i<(atoi(argv[2]))-1;i++) {
if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
}
exit(0);
}
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990502203258.4113.qmail>