From owner-freebsd-bugs@FreeBSD.ORG Sun Feb 13 19:50:38 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 800AF16A4CE for ; Sun, 13 Feb 2005 19:50:38 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 438C743D41 for ; Sun, 13 Feb 2005 19:50:33 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1DJoScS050318 for ; Sun, 13 Feb 2005 19:50:28 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1DJoSs6050317; Sun, 13 Feb 2005 19:50:28 GMT (envelope-from gnats) Resent-Date: Sun, 13 Feb 2005 19:50:28 GMT Resent-Message-Id: <200502131950.j1DJoSs6050317@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Wojciech A. Koszek" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E041B16A4CE for ; Sun, 13 Feb 2005 19:49:58 +0000 (GMT) Received: from freebsd.czest.pl (silver.iplus.pl [80.48.250.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDD2643D2D for ; Sun, 13 Feb 2005 19:49:46 +0000 (GMT) (envelope-from dunstan@freebsd.czest.pl) Received: from freebsd.czest.pl (freebsd.czest.pl [80.48.250.4]) by freebsd.czest.pl (8.12.10/8.12.9) with ESMTP id j1DJt59r006687 for ; Sun, 13 Feb 2005 19:55:05 GMT (envelope-from dunstan@freebsd.czest.pl) Received: (from dunstan@localhost) by freebsd.czest.pl (8.12.10/8.12.9/Submit) id j1DJt46K006686; Sun, 13 Feb 2005 19:55:05 GMT (envelope-from dunstan) Message-Id: <200502131955.j1DJt46K006686@freebsd.czest.pl> Date: Sun, 13 Feb 2005 19:55:05 GMT From: "Wojciech A. Koszek" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/77462: [PATCH] Use of uninitialized variables in lpc(8) (SIGSEGV) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Wojciech A. Koszek" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Feb 2005 19:50:38 -0000 >Number: 77462 >Category: bin >Synopsis: [PATCH] Use of uninitialized variables in lpc(8) (SIGSEGV) >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Feb 13 19:50:17 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Wojciech A. Koszek >Release: FreeBSD 5.3-STABLE i386 >Organization: >Environment: System: FreeBSD dunstan.freebsd.czest.pl 5.3-STABLE FreeBSD 5.3-STABLE #0: Sat Feb 12 11:15:23 CET 2005 root@dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME6 i386 Tests made on -STABLE and -CURRENT. >Description: lpc(8) uses editline(3) library to handle user input. If data comes from terminal, it uses el_gets(3) function. Overwise, fgets(3) is used. Structures for el_* functions have to be initialized before making use of them. User may send malicious data throught fgets(3), skipping variables initialization, and the same, causing lpc to get SIGSEGV. My analisis has shown it *might* be expoited in theory. lpc(8) is SGID with EGID == daemon. >How-To-Repeat: Repeating is trivial: $ echo "..:" | lpc or $ cat /dev/random | lpc >Fix: Solution is very simple. Structures are used for processing data either from el_gets() or fgets(), so initialization has to be done earlier. Attached patch [lpc.0.patch] should correct this problem. --- lpc.0.patch begins here --- Index: src/usr.sbin/lpr/lpc/lpc.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/lpr/lpc/lpc.c,v retrieving revision 1.28 diff -u -r1.28 lpc.c --- src/usr.sbin/lpr/lpc/lpc.c 13 Oct 2003 07:24:22 -0000 1.28 +++ src/usr.sbin/lpr/lpc/lpc.c 18 Nov 2004 14:23:21 -0000 @@ -162,27 +162,27 @@ bp = NULL; el = NULL; hist = NULL; + + el = el_init("lpc", stdin, stdout, stderr); + hist = history_init(); + history(hist, &he, H_EVENT, 100); + el_set(el, EL_HIST, history, hist); + el_set(el, EL_EDITOR, "emacs"); + el_set(el, EL_PROMPT, lpc_prompt); + el_set(el, EL_SIGNAL, 1); + el_source(el, NULL); + for (;;) { if (fromatty) { - if (!el) { - el = el_init("lpc", stdin, stdout, stderr); - hist = history_init(); - history(hist, &he, H_EVENT, 100); - el_set(el, EL_HIST, history, hist); - el_set(el, EL_EDITOR, "emacs"); - el_set(el, EL_PROMPT, lpc_prompt); - el_set(el, EL_SIGNAL, 1); - el_source(el, NULL); - /* - * EditLine init may call 'cgetset()' to set a - * capability-db meant for termcap (eg: to set - * terminal type 'xterm'). Reset that now, or - * that same db-information will be used for - * printcap (giving us an "xterm" printer, with - * all kinds of invalid capabilities...). - */ - cgetset(NULL); - } + /* + * EditLine init may call 'cgetset()' to set a + * capability-db meant for termcap (eg: to set + * terminal type 'xterm'). Reset that now, or + * that same db-information will be used for + * printcap (giving us an "xterm" printer, with + * all kinds of invalid capabilities...). + */ + cgetset(NULL); if ((bp = el_gets(el, &num)) == NULL || num == 0) quit(0, NULL); --- lpc.0.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: