Bugtraq mailing list archives
Re: execve bug linux-2.2.12
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Sat, 16 Oct 1999 14:22:02 +0100
Basically the problem is that the execve system call checks that argv is a valid pointer but it doesn't check that all of the pointers in argv array are valid pointers. If you pass bad pointers into the
This is incorrect. To start with - it builds the argv pointer array itself. The passed array is simply used to get a list of strings and to build them on the stack of the target process. The argv and envp is then built by the ELF loader walking these tables in order to generate the argv and envp arrays that the SYS5 ABI expects to be passed (saner ABI's the user space start up builds argc/argv).
execve system call you can corrupt the processes stack before it returns to user space. Then when the kernel hands off the process to
I don't think you can. The built ELF stack looks roughly like [Environment] - null terminated string data [Arguments] - null terminated string data [Elf gloop] [envp] [argv] [argc] -> You are here on entry, so the stack is fine.
The thing that tipped me off to the problem was that a program that I exec'd was getting killed with SIGSEGV in __libc_start_main before my main function began running.
I would certainly be interested in an example that caused this. That there could be a bug in the kernel or glibc exec building I can believe. Your diagnosis of the cause however is dubious. Alan
Current thread:
- PAM applications running as root (Was Re: WebTrends Enterprise Reporting Server) Darren Moffat (Oct 14)
- Re: PAM applications running as root (Was Re: WebTrends Enterprise Alan Cox (Oct 15)
- OpenLink 3.2 Advisory Tymm Twillman (Oct 15)
- execve bug linux-2.2.12 ben () VALINUX COM (Oct 15)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Netscape 4.x buffer overflow Max Vision (Oct 18)
- Re: execve bug linux-2.2.12 Perly (Oct 15)
- Re: execve bug linux-2.2.12 visi0n (Oct 15)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 16)
- Re: execve bug linux-2.2.12 ben () VALINUX COM (Oct 16)
- Re: execve bug linux-2.2.12 Matt Chapman (Oct 18)
- Re: execve bug linux-2.2.12 Taneli Huuskonen (Oct 19)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 20)
- Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
- Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
- CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Richard Trott (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Chad Price (Oct 21)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Gregory A Lundberg (Oct 21)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)