Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: execve bug linux-2.2.12

From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Sat, 16 Oct 1999 14:22:02 +0100


Basically the problem is that the execve system call checks that argv
is a valid pointer but it doesn't check that all of the pointers in
argv array are valid pointers. If you pass bad pointers into the


This is incorrect. To start with - it builds the argv pointer array
itself. The passed array is simply used to get a list of strings
and to build them on the stack of the target process.

The argv and envp is then built by the ELF loader walking these tables
in order to generate the argv and envp arrays that the SYS5 ABI expects
to be passed (saner ABI's the user space start up builds argc/argv).


execve system call you can corrupt the processes stack before it
returns to user space. Then when the kernel hands off the process to


I don't think you can. The built ELF stack looks roughly like

        [Environment] - null terminated string data
        [Arguments] - null terminated string data
        [Elf gloop]
        [envp]
        [argv]
        [argc]
-> You are here

on entry, so the stack is fine.


The thing that tipped me off to the problem was that a program that I
exec'd was getting killed with SIGSEGV in __libc_start_main before my
main function began running.


I would certainly be interested in an example that caused this. That there
could be a bug in the kernel or glibc exec building I can believe. Your
diagnosis of the cause however is dubious.

Alan
Previous By Date Next
Previous By Thread Next

Current thread: