Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: execve bug linux-2.2.12

From: matty () CIFS ORG (Matt Chapman)
Date: Tue, 19 Oct 1999 04:06:29 +1000

On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote:


I would certainly be interested in an example that caused this.


#include <unistd.h>
#include <errno.h>

#define BADPTR (char *)0x10   /* for example */

int main(int argc, char **argv, char **envp)
{
        char *args[7];
        int i;

        args[0] = "su";
        for (i = 1; i < 6; i++) {
                args[i] = BADPTR;
        }
        args[6] = NULL;

        execve("/bin/su", args, envp);

        printf("%s\n", strerror(errno));
        return 1;
}

This program (on my system at least 5 bad arguments are needed) reproducibly
dies with SIGSEGV on 2.2.12. A similarly configured system with kernel 2.0.36
correctly reports EFAULT.

This would not normally be a problem, however... the above program will not
dump core for an ordinary user, only root, which makes me believe that the
fault occurs after the process has gained the root euid from /bin/su.

A gdb trace suggests the usual heap corruption in glibc, which does not
seem to be related to the arguments passed to execve (as long as they
are bad), so I doubt this is exploitable. However it is most likely a bug
somewhere.

        Matt


--
Matthew "Austin" Chapman
SysAdmin, Developer, Samba Team Member
Previous By Date Next
Previous By Thread Next

Current thread: