Date: Tue, 5 Feb 2002 19:05:30 +0000 From: biometrix <bio.metrix@gte.net> To: audit@freebsd.org Subject: tmpfile() libc call causes buffer overflow? Message-ID: <20020207010159.EFLX12982.out008.verizon.net@there>
next in thread | raw e-mail | index | archive | help
I found if I altered TMPDIR exported variable to an a long string (X50 "G")
/usr/bin/pr would exit with a segmentation fault.
export TMPDIR=`perl -e 'print "G" x 50'`
bash-2.05# pr
Cannot defer diagnostic messages
Segmentation fault (core dumped)
The code executed just before the segmentation fault is :
if ((err = tmpfile()) == NULL) {
(void)fputs("Cannot defer diagnosticm
essages\n",stderr);
return(1);
}
In : /usr/src/lib/libc/stdio/tmpfile.c there is a call for
"tmpdir = getenv("TMPDIR");"
so it returns a filename based on the enviroment variable "TMPDIR" so the
result of tmpfile() can be poisoned by altering TMPDIR ?
I tested it using most of the code found in "tmpfile.c" and got the result:
./test
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG/tmp.XXXXXX
gdb says the error occurs in:
#0 0x280dca59 in __sfvwrite () from /usr/lib/libc.so.4
when pr crashes and the core file contains the string:
strings pr.core | grep -i tmp
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG/tmp.XXXXXX
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG/tmp.GIvbJl
TMPDIR
/tmp
TMPDIR=GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
pr is the only binary I can find in the source tree that uses the tmpfile()
call so cannot test against anything else.
Am I incorrect that this problem is caused by the getenv() for TMPDIR in
tmpfile.c?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020207010159.EFLX12982.out008.verizon.net>