Bugtraq mailing list archives
Re: execve bug linux-2.2.12
From: matty () CIFS ORG (Matt Chapman)
Date: Tue, 19 Oct 1999 04:06:29 +1000
On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote:
I would certainly be interested in an example that caused this.
#include <unistd.h> #include <errno.h> #define BADPTR (char *)0x10 /* for example */ int main(int argc, char **argv, char **envp) { char *args[7]; int i; args[0] = "su"; for (i = 1; i < 6; i++) { args[i] = BADPTR; } args[6] = NULL; execve("/bin/su", args, envp); printf("%s\n", strerror(errno)); return 1; } This program (on my system at least 5 bad arguments are needed) reproducibly dies with SIGSEGV on 2.2.12. A similarly configured system with kernel 2.0.36 correctly reports EFAULT. This would not normally be a problem, however... the above program will not dump core for an ordinary user, only root, which makes me believe that the fault occurs after the process has gained the root euid from /bin/su. A gdb trace suggests the usual heap corruption in glibc, which does not seem to be related to the arguments passed to execve (as long as they are bad), so I doubt this is exploitable. However it is most likely a bug somewhere. Matt -- Matthew "Austin" Chapman SysAdmin, Developer, Samba Team Member
Current thread:
- PAM applications running as root (Was Re: WebTrends Enterprise Reporting Server) Darren Moffat (Oct 14)
- Re: PAM applications running as root (Was Re: WebTrends Enterprise Alan Cox (Oct 15)
- OpenLink 3.2 Advisory Tymm Twillman (Oct 15)
- execve bug linux-2.2.12 ben () VALINUX COM (Oct 15)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Netscape 4.x buffer overflow Max Vision (Oct 18)
- Re: execve bug linux-2.2.12 Perly (Oct 15)
- Re: execve bug linux-2.2.12 visi0n (Oct 15)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 16)
- Re: execve bug linux-2.2.12 ben () VALINUX COM (Oct 16)
- Re: execve bug linux-2.2.12 Matt Chapman (Oct 18)
- Re: execve bug linux-2.2.12 Taneli Huuskonen (Oct 19)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 20)
- Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
- Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
- CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Richard Trott (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Chad Price (Oct 21)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Gregory A Lundberg (Oct 21)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Remote DoS in Axent's Raptor 6.0 Mike Frantzen (Oct 20)
- xmonisdn (isdn4k-utils/Linux) bug report Ron van Daal (Oct 18)