Bugtraq mailing list archives
Vulnerabilities with Swish
From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Thomas Bauer)
Date: Tue, 10 Nov 1998 16:01:11 +0100
On Tue Nov 10 10:19:31 1998, Aaron Campbell wrote
You've made a pretty bold assumption here on what order the compiler will decide the local variables should live on the stack. In particular, any optimization options passed to gcc will often rearrange the positions of the automatic variables.
Thanks for pointing this out to me. I have made a little "experiment" on that issue: I took the xlock.c file and compiled it with gcc-2.7.2.1 using the -S option (gcc -S xlock.c) on my Linux PC. Although there are (of course) some "..... undeclared" errors at lines 3269 and 3275 (that is NOT in the function read_plan ) an output file xlock.s containing the assembler code is produced. One can now see that if no optimizing options are used "char *home" is located right above "char buf[121]" on the stack, but when you use the -O or -O2 options with gcc then "FILE *planf" will be right above "char buf[121]" on the stack. Therefore, in the latter case the most significant byte (on a little endian machine) of "FILE *planf" will be overwritten by NULL. As Thomas Schweikle <tschweik () fiducia de> has pointed out in his reply, there may be some more "scenarios", depending on the architecture/compiler/options combination used to compile xlock, so the question is if there is any combination of architecture/compiler/options that will produce code that contains a security hole. Jochen Bauer Institute for Theoretical Physics University of Stuttgart, Germany
Current thread:
- Several new CGI vulnerabilities xnec (Nov 09)
- Vulnerabilities with Swish Job de Haas (Nov 09)
- Re: Several new CGI vulnerabilities Karl Hanmore (Nov 10)
- Re: Several new CGI vulnerabilities Gus (Nov 10)
- Buffer overflow in Xprt Paolo Molaro (Nov 09)
- Re: Several new CGI vulnerabilities Lincoln Stein (Nov 10)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Andi Kleen (Nov 10)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) David S. Miller (Nov 11)
- Vulnerabilities with Swish Jochen Thomas Bauer (Nov 10)
- <Possible follow-ups>
- Re: Several new CGI vulnerabilities Lincoln Stein (Nov 12)