Bugtraq mailing list archives
Re: execve bug linux-2.2.12
From: huuskone () CC HELSINKI FI (Taneli Huuskonen)
Date: Wed, 20 Oct 1999 09:15:53 +0300
-----BEGIN PGP SIGNED MESSAGE----- Apparently the Linux execve( ) bug is caused by the failure of copy_strings( ) in /usr/src/linux/fs/exec.c to check the return value of strlen_user( ). On error, strlen_user( ) returns zero, and copy_strings( ) blithely copies zero bytes to the argument table of the programme to be execve( )'d, thus effectively removing any bad pointers from argv. The problem is that argc is not updated, so the missing arguments are taken from the environment string table, and the missing environment strings from whatever happens to be at the top of memory after the string table. When that is exhausted, the rest of the environment pointers point to the end of memory, which causes the SEGV's people have been observing. I don't see any possible way this bug could affect security, however. Taneli Huuskonen -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQB1AwUBOA1dkgUw3ir1nvhZAQE0XwL/WqVme0f2OzI39Wu4O+tcj3eIqFMS80lc IjdaSoiTJmY//n3ku9aaNip+oshorXke/a0LS1peRm+0ZRHv7ir9XXdZIO/9EGFz 2pVPMRxLK+51OxBdn1v213s3rJN/X4w0 =FmvN -----END PGP SIGNATURE----- -- I don't | All messages will be PGP signed, | Fight for your right to speak for | encrypted mail preferred. Keys: | use sealed envelopes. the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Current thread:
- Re: PAM applications running as root (Was Re: WebTrends Enterprise, (continued)
- Re: PAM applications running as root (Was Re: WebTrends Enterprise Alan Cox (Oct 15)
- OpenLink 3.2 Advisory Tymm Twillman (Oct 15)
- execve bug linux-2.2.12 ben () VALINUX COM (Oct 15)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Netscape 4.x buffer overflow Max Vision (Oct 18)
- Re: execve bug linux-2.2.12 Perly (Oct 15)
- Re: execve bug linux-2.2.12 visi0n (Oct 15)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 16)
- Re: execve bug linux-2.2.12 ben () VALINUX COM (Oct 16)
- Re: execve bug linux-2.2.12 Matt Chapman (Oct 18)
- Re: execve bug linux-2.2.12 Taneli Huuskonen (Oct 19)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 20)
- Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
- Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
- CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Richard Trott (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Chad Price (Oct 21)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Gregory A Lundberg (Oct 21)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Remote DoS in Axent's Raptor 6.0 Mike Frantzen (Oct 20)
- xmonisdn (isdn4k-utils/Linux) bug report Ron van Daal (Oct 18)
- Re: xmonisdn (isdn4k-utils/Linux) bug report Jan-Hendrik Terstegge (Oct 20)