Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Dec 2001 10:36:03 -0500 (EST)
From:      Mike Heffner <mheffner@vt.edu>
To:        Peter Pentchev <roam@ringlet.net>
Cc:        FreeBSD-bugs <freebsd-bugs@freebsd.org>, Marc Olzheim <marcolz@ilse.nl>, freebsd-gnats-submit@freebsd.org
Subject:   Re: bin/19422: users can overflow argv to make ps segfault
Message-ID:  <XFMail.20011212103603.mheffner@vt.edu>
In-Reply-To: <20011212115039.B934@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]

On 12-Dec-2001 Peter Pentchev wrote:
| On Tue, Dec 11, 2001 at 11:18:54PM -0500, Mike Heffner wrote:
|> 
|> Well, I've looked at this a little more. I was able to reproduce it (it
|> took a few times though). Unfortunately, the patch isn't as simple as
|> the
|> one in the PR. Could you please try the attached patch? There is still
|> a
|> problem though, and that is that the strlen()s can seg. fault if the
|> argv[] strings aren't NULL terminated - I don't know how to fix this
|> problem though :(
| 
| If argv[] is the program arguments' array, as passed to main(), then
| you should not worry about it - its elements are supposed to be proper
| C strings, i.e. terminated by a '\0' character, and I still have to see
| a platform where they are not :)


But when a user modifies those arguments by explicilty setting argv[0], or
whatever, is where the problem is:

test5.c:

#include       <stdio.h>
#include       <sys/exec.h>
#include       <sys/param.h>
#include       <sys/sysctl.h>
#include       <sys/types.h>
#include       <unistd.h>

int
main(int argc, char *argv[])
{
        int     oid[4];
        char    before[] = "BBBBBBB";
        char    after[5];

        memset(after, 'A', sizeof(after));
        argv[0] = after;
      
        oid[0] = CTL_KERN;
        oid[1] = KERN_PROC;
        oid[2] = KERN_PROC_ARGS;
        oid[3] = getpid();
        sysctl(oid, 4, 0, 0, after, 65537);
      
        sleep(600);
      
        return(0);
}


$ ./test5


on another terminal:

$ ps auxwww

...
spock   290  0.0  0.3   980  109  p0  S+   10:30AM   0:00.01 \
AAAAA\M-{\M-?\M-?BBBBBBB (test5)
     ^^^^^^^^^^^^^^^^^^^



Mike

-- 
  Mike Heffner     <mheffner@[acm.]vt.edu>
  Blacksburg, VA       <mikeh@FreeBSD.org>


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8F3liFokZQs3sv5kRAiVSAKCTfdqsGylIHlKsVUh+p5mcmRX/rACeOrCC
aOsuNDWHNxu0Z6XjBrRHc/4=
=RGXk
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20011212103603.mheffner>