From owner-freebsd-bugs  Wed Jan  9 11:30:13 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2DF0C37B41E
	for <freebsd-bugs@hub.freebsd.org>; Wed,  9 Jan 2002 11:30:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g09JU1c85308;
	Wed, 9 Jan 2002 11:30:01 -0800 (PST)
	(envelope-from gnats)
Received: from skynet.stack.nl (insgate.stack.nl [131.155.140.2])
	by hub.freebsd.org (Postfix) with ESMTP id 78BCB37B405
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Jan 2002 11:29:02 -0800 (PST)
Received: from turtle.stack.nl (turtle.stack.nl [2001:610:1108:5010:202:b3ff:fe17:a070])
	by skynet.stack.nl (Postfix) with ESMTP
	id 426059B15; Wed,  9 Jan 2002 20:28:54 +0100 (CET)
Received: by turtle.stack.nl (Postfix, from userid 333)
	id 7EF7D35B; Wed,  9 Jan 2002 20:28:52 +0100 (CET)
Message-Id: <20020109202852.A61938@stack.nl>
Date: Wed, 9 Jan 2002 20:28:52 +0100
From: Marc Olzheim <marcolz@stack.nl>,
	Serge van den Boom <svdb@stack.nl>
Reply-To: Marc Olzheim <marcolz@stack.nl>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Marc Olzheim <marcolz@stack.nl>,
	Serge van den Boom <svdb@stack.nl>
X-Send-Pr-Version: 3.113
Subject: kern/33738: [PATCH] empty argv
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         33738
>Category:       kern
>Synopsis:       argv == NULL is not handled correctly by programs.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 09 11:30:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Marc Olzheim and Serge van den Boom
>Release:        FreeBSD 4.5-PRERELEASE
>Organization:
M.C.G.V. Stack
>Environment:
FreeBSD 2, 3, 4, 5


>Description:
	FreeBSD's execve(2) does not check wether argv is NULL. This
	does not seem to pose an immediate threat, but programs like
	passwd and other setuid programs that use getopt(3) tend to use
	the example code from the getopt(3) manpage. This code does:
	argc -= optind; argv += optind;

	If argc was 0, getopt(3) returns -1 and does not modify optind,
	which is initialized at 1. Thus argc becomes -1 and argv skips
	over the NULL pointer into the environment, which is loaded
	right after the argv strings array in memory. Programs that do
	not check argc before or after getopt(3) then regard the
	environment strings as arguments to the program. A good example
	is ls(1).

	None of this poses any serious problems, besides from crashing
	setuid programs, which do not look good in your dmesg, but this
	could be a problem in programs that handle arguments like ls(1).

	OpenBSD does not allow empty argv, returning -1 and EFAULT in
	errno (the man page says it should return EINVAL, but it
	doesn't). I do not know wether this is a good option for FreeBSD
	as well, but I don't see any problems with the kernel patch
	right now. If this patch is not possible for some reason, I
	think some programs need to be checked for misuse of argv, like
	ls(1) does.

>How-To-Repeat:
	Attached are noargv.c, which takes a single argument and runs it
	with argv set to NULL, and 2 patches: one for the kernel and one
	for getopt(3), which does not do as is should according to the
	manual. Play around with noargv and see what happens...
>Fix:
	Attached.
	The getopt patch fixes ls, but not passwd and probably some more
	programs...

Marc

--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="kern_exec.c.patch"

--- /usr/src/sys/kern/kern_exec.c.orig	Wed Jan  9 19:28:25 2002
+++ /usr/src/sys/kern/kern_exec.c	Wed Jan  9 19:30:33 2002
@@ -582,7 +582,8 @@
 				imgp->argc++;
 			} while ((argp = (caddr_t) (intptr_t) fuword(argv++)));
 		}
-	}	
+	} else
+		return(EFAULT);
 
 	imgp->endargs = imgp->stringp;
 

--LQksG6bCIzRHxTLp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="getopt.c.patch"

--- /usr/src/lib/libc/stdlib/getopt.c	Wed Jan  9 16:26:37 2002
+++ /usr/src/lib/libc/stdlib/getopt.c	Wed Jan  9 16:51:27 2002
@@ -66,6 +66,15 @@
 	static char *place = EMSG;		/* option letter processing */
 	char *oli;				/* option letter list index */
 
+	if (!nargc)
+	{
+		optind = 0;
+		if (optreset)
+			optreset = 0;
+
+		return (-1);
+	}
+
 	if (optreset || !*place) {		/* update scanning pointer */
 		optreset = 0;
 		if (optind >= nargc || *(place = nargv[optind]) != '-') {

--LQksG6bCIzRHxTLp--
>Release-Note:
>Audit-Trail:
>Unformatted:
 --LQksG6bCIzRHxTLp
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message