Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: execve bug linux-2.2.12

From: huuskone () CC HELSINKI FI (Taneli Huuskonen)
Date: Wed, 20 Oct 1999 09:15:53 +0300

-----BEGIN PGP SIGNED MESSAGE-----

Apparently the Linux execve( ) bug is caused by the failure of
copy_strings( ) in /usr/src/linux/fs/exec.c to check the return value
of strlen_user( ).  On error, strlen_user( ) returns zero, and
copy_strings( ) blithely copies zero bytes to the argument table of
the programme to be execve( )'d, thus effectively removing any bad
pointers from argv.  The problem is that argc is not updated, so the
missing arguments are taken from the environment string table, and the
missing environment strings from whatever happens to be at the top of
memory after the string table.  When that is exhausted, the rest of the
environment pointers point to the end of memory, which causes the SEGV's
people have been observing.  I don't see any possible way this bug could
affect security, however.

Taneli Huuskonen

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQB1AwUBOA1dkgUw3ir1nvhZAQE0XwL/WqVme0f2OzI39Wu4O+tcj3eIqFMS80lc
IjdaSoiTJmY//n3ku9aaNip+oshorXke/a0LS1peRm+0ZRHv7ir9XXdZIO/9EGFz
2pVPMRxLK+51OxBdn1v213s3rJN/X4w0
=FmvN
-----END PGP SIGNATURE-----

--
I don't   | All messages will be PGP signed,  | Fight for your right to
speak for | encrypted mail preferred.  Keys:  | use sealed envelopes.
the Uni.  | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Previous By Date Next
Previous By Thread Next

Current thread: