From owner-freebsd-current Thu Aug 1 8:18:36 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA96A37B400; Thu, 1 Aug 2002 08:18:25 -0700 (PDT) Received: from mailout05.sul.t-online.com (mailout05.sul.t-online.com [194.25.134.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA2DD43E70; Thu, 1 Aug 2002 08:18:24 -0700 (PDT) (envelope-from Alexander@Leidinger.net) Received: from fwd03.sul.t-online.de by mailout05.sul.t-online.com with smtp id 17aHGV-0008TT-01; Thu, 01 Aug 2002 16:49:23 +0200 Received: from Andro-Beta.Leidinger.net (520065502893-0001@[217.83.20.57]) by fmrl03.sul.t-online.com with esmtp id 17aHHJ-1V1CjYC; Thu, 1 Aug 2002 16:50:13 +0200 Received: from Magelan.Leidinger.net (Magelan [192.168.1.1]) by Andro-Beta.Leidinger.net (8.11.6/8.11.6) with ESMTP id g71En3x00901; Thu, 1 Aug 2002 16:49:03 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from Magelan.Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.12.5/8.12.5) with SMTP id g71DhuFF002222; Thu, 1 Aug 2002 15:43:56 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Date: Thu, 1 Aug 2002 15:43:56 +0200 From: Alexander Leidinger To: current@freebsd.org Cc: joachim@leidinger.net, ru@freebsd.org, phantom@freebsd.org Subject: Bug in setlocale() Message-Id: <20020801154356.63c61fc9.Alexander@Leidinger.net> Organization: Independend X-Mailer: Sylpheed version 0.7.8claws (GTK+ 1.2.10; i386-portbld-freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Sender: 520065502893-0001@t-dialin.net Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, we have a bug in setlocale(), it writes past static char new_categories[_LC_LAST][ENCODING_LEN + 1]; in the do-while loop around line 159. I get this backtrace ---snip--- (gdb) bt #0 0x2816c9bc in kill () from /usr/lib/libc.so.4 #1 0x281af744 in abort () at /usr/src/lib/libc/../libc/stdlib/abort.c:73 #2 0x28171d8b in setlocale (category=0, locale=0x8d88459 "font>\",\n\n\"A new online catalog will be created based on the configuration you have specified into the CommerceLauncher.\",\n\"Et nyt on-line katalog vil blive oprettet baseret på konfigurationen du"...) at /usr/src/lib/libc/../libc/locale/setlocale.c:159 #3 0x2823715a in XS_POSIX_setlocale (cv=0x8459d44) at POSIX.xs:3250 #4 0x80a3313 in Perl_pp_entersub () at pp_hot.c:2618 #5 0x809d41a in Perl_runops_debug () at run.c:53 #6 0x805bb01 in S_run_body (oldscope=1) at perl.c:1466 #7 0x805b828 in perl_run (my_perl=0x8105030) at perl.c:1393 #8 0x805903a in main (argc=3, argv=0xbfbffbc4, env=0xbfbffbd4) at perlmain.c:52 #9 0x8058f21 in _start () ---snip--- on a 4.6-p1 system (current seems to contain the same code) with this modification: ---snip--- (gdb) up 2 #2 0x28171d8b in setlocale (category=0, locale=0x8d88459 "font>\",\n\n\"A new online catalog will be created based on the configuration you have specified into the CommerceLauncher.\",\n\"Et nyt on-line katalog vil blive oprettet baseret på konfigurationen du"...) at /usr/src/lib/libc/../libc/locale/setlocale.c:159 159 if (_LC_LAST == i) abort(); (gdb) list 154 } else { 155 for (i = 1; r[1] == '/'; ++r); 156 if (!r[1]) 157 return (NULL); /* Hmm, just slashes... */ 158 do { 159 if (_LC_LAST == i) abort(); 160 len = r - locale > ENCODING_LEN ? ENCODING_LEN : r - locale; 161 (void)strncpy(new_categories[i], locale, len); 162 new_categories[i][len] = '\0'; 163 i++; ---snip--- Yes, I know, "locale" isn't set to anything valid. I don't know if this is exploitable (is there a length check somewhere for the involved env vars? If not we are in trouble), but at least it's a nasty buffer overflow (it overwrites parts of getpwent.c:__hashpw() on this particular machine and causes a segfault in getpwuid()). Bye, Alexander. -- The three Rs of Microsoft support: Retry, Reboot, Reinstall. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message