From owner-freebsd-bugs  Wed Dec 12  7:36:11 2001
Delivered-To: freebsd-bugs@freebsd.org
Received: from lennier.cc.vt.edu (lennier.cc.vt.edu [198.82.162.213])
	by hub.freebsd.org (Postfix) with ESMTP
	id 319A837B41B; Wed, 12 Dec 2001 07:36:05 -0800 (PST)
Received: from steiner.cc.vt.edu (IDENT:mirapoint@steiner-lb.cc.vt.edu [10.1.1.14])
	by lennier.cc.vt.edu (8.11.4/8.11.4) with ESMTP id fBCFa41448369;
	Wed, 12 Dec 2001 10:36:04 -0500 (EST)
Received: from enterprise.muriel.penguinpowered.com (hc652647d.dhcp.vt.edu [198.82.100.125])
	by steiner.cc.vt.edu (Mirapoint)
	with ESMTP id AGU34014;
	Wed, 12 Dec 2001 10:36:03 -0500 (EST)
Message-ID: <XFMail.20011212103603.mheffner@vt.edu>
X-Mailer: XFMail 1.5.2 on FreeBSD
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="_=XFMail.1.5.2.FreeBSD:20011212103603:24503=_";
 micalg=pgp-md5; protocol="application/pgp-signature"
In-Reply-To: <20011212115039.B934@straylight.oblivion.bg>
Date: Wed, 12 Dec 2001 10:36:03 -0500 (EST)
From: Mike Heffner <mheffner@vt.edu>
To: Peter Pentchev <roam@ringlet.net>
Subject: Re: bin/19422: users can overflow argv to make ps segfault
Cc: FreeBSD-bugs <freebsd-bugs@freebsd.org>,
	Marc Olzheim <marcolz@ilse.nl>, freebsd-gnats-submit@freebsd.org
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

This message is in MIME format
--_=XFMail.1.5.2.FreeBSD:20011212103603:24503=_
Content-Type: text/plain; charset=us-ascii


On 12-Dec-2001 Peter Pentchev wrote:
| On Tue, Dec 11, 2001 at 11:18:54PM -0500, Mike Heffner wrote:
|> 
|> Well, I've looked at this a little more. I was able to reproduce it (it
|> took a few times though). Unfortunately, the patch isn't as simple as
|> the
|> one in the PR. Could you please try the attached patch? There is still
|> a
|> problem though, and that is that the strlen()s can seg. fault if the
|> argv[] strings aren't NULL terminated - I don't know how to fix this
|> problem though :(
| 
| If argv[] is the program arguments' array, as passed to main(), then
| you should not worry about it - its elements are supposed to be proper
| C strings, i.e. terminated by a '\0' character, and I still have to see
| a platform where they are not :)


But when a user modifies those arguments by explicilty setting argv[0], or
whatever, is where the problem is:

test5.c:

#include       <stdio.h>
#include       <sys/exec.h>
#include       <sys/param.h>
#include       <sys/sysctl.h>
#include       <sys/types.h>
#include       <unistd.h>

int
main(int argc, char *argv[])
{
        int     oid[4];
        char    before[] = "BBBBBBB";
        char    after[5];

        memset(after, 'A', sizeof(after));
        argv[0] = after;
      
        oid[0] = CTL_KERN;
        oid[1] = KERN_PROC;
        oid[2] = KERN_PROC_ARGS;
        oid[3] = getpid();
        sysctl(oid, 4, 0, 0, after, 65537);
      
        sleep(600);
      
        return(0);
}


$ ./test5


on another terminal:

$ ps auxwww

...
spock   290  0.0  0.3   980  109  p0  S+   10:30AM   0:00.01 \
AAAAA\M-{\M-?\M-?BBBBBBB (test5)
     ^^^^^^^^^^^^^^^^^^^



Mike

-- 
  Mike Heffner     <mheffner@[acm.]vt.edu>
  Blacksburg, VA       <mikeh@FreeBSD.org>


--_=XFMail.1.5.2.FreeBSD:20011212103603:24503=_
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8F3liFokZQs3sv5kRAiVSAKCTfdqsGylIHlKsVUh+p5mcmRX/rACeOrCC
aOsuNDWHNxu0Z6XjBrRHc/4=
=RGXk
-----END PGP SIGNATURE-----

--_=XFMail.1.5.2.FreeBSD:20011212103603:24503=_--
End of MIME message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message