Date: Thu, 1 Aug 2002 15:43:56 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: current@freebsd.org Cc: joachim@leidinger.net, ru@freebsd.org, phantom@freebsd.org Subject: Bug in setlocale() Message-ID: <20020801154356.63c61fc9.Alexander@Leidinger.net>
next in thread | raw e-mail | index | archive | help
Hi,
we have a bug in setlocale(), it writes past
static char new_categories[_LC_LAST][ENCODING_LEN + 1];
in the do-while loop around line 159.
I get this backtrace
---snip---
(gdb) bt
#0 0x2816c9bc in kill () from /usr/lib/libc.so.4
#1 0x281af744 in abort () at /usr/src/lib/libc/../libc/stdlib/abort.c:73
#2 0x28171d8b in setlocale (category=0,
locale=0x8d88459 "font>\",\n\n\"A new online catalog will be created based on the configuration you have specified into the CommerceLauncher.\",\n\"Et nyt on-line katalog vil blive oprettet baseret på konfigurationen du"...)
at /usr/src/lib/libc/../libc/locale/setlocale.c:159
#3 0x2823715a in XS_POSIX_setlocale (cv=0x8459d44) at POSIX.xs:3250
#4 0x80a3313 in Perl_pp_entersub () at pp_hot.c:2618
#5 0x809d41a in Perl_runops_debug () at run.c:53
#6 0x805bb01 in S_run_body (oldscope=1) at perl.c:1466
#7 0x805b828 in perl_run (my_perl=0x8105030) at perl.c:1393
#8 0x805903a in main (argc=3, argv=0xbfbffbc4, env=0xbfbffbd4)
at perlmain.c:52
#9 0x8058f21 in _start ()
---snip---
on a 4.6-p1 system (current seems to contain the same code) with this
modification:
---snip---
(gdb) up 2
#2 0x28171d8b in setlocale (category=0,
locale=0x8d88459 "font>\",\n\n\"A new online catalog will be created based on the configuration you have specified into the CommerceLauncher.\",\n\"Et nyt on-line katalog vil blive oprettet baseret på konfigurationen du"...)
at /usr/src/lib/libc/../libc/locale/setlocale.c:159
159 if (_LC_LAST == i) abort();
(gdb) list
154 } else {
155 for (i = 1; r[1] == '/'; ++r);
156 if (!r[1])
157 return (NULL); /* Hmm, just slashes... */
158 do {
159 if (_LC_LAST == i) abort();
160 len = r - locale > ENCODING_LEN ? ENCODING_LEN : r - locale;
161 (void)strncpy(new_categories[i], locale, len);
162 new_categories[i][len] = '\0';
163 i++;
---snip---
Yes, I know, "locale" isn't set to anything valid.
I don't know if this is exploitable (is there a length check somewhere
for the involved env vars? If not we are in trouble), but at least it's
a nasty buffer overflow (it overwrites parts of getpwent.c:__hashpw() on
this particular machine and causes a segfault in getpwuid()).
Bye,
Alexander.
--
The three Rs of Microsoft support: Retry, Reboot, Reinstall.
http://www.Leidinger.net Alexander @ Leidinger.net
GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020801154356.63c61fc9.Alexander>