[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: Fixes
From: Cristian Cadar <cristic () stanford ! edu>
Date: 2008-08-21 3:04:13
Message-ID: 1219287853.3551.9.camel () localhost ! localdomain
[Download RAW message or body]
Thanks, I think the patch is correct.
On Thu, 2008-08-21 at 00:20 +0200, Denys Vlasenko wrote:
> On Wednesday 20 August 2008 03:35, Cristian Cadar wrote:
> > Hey Denys, thanks for closing those bugs.
> > The fix you pushed does indeed fix one of the bugs I reported. There's
> > another invalid access though, sorry for not being clear.
> >
> > The problem occurs when you call envdir, setuidgid or envuidgid w/o any
> > arguments:
> >
> > $ ./envdir
> > envdir: chdir((null)): Bad address
> >
> > In chpst_main, argv is initially {"envdir", NULL}.
> >
> > 195: if ((ENABLE_CHPST && applet_name[0] == 'c')
> > 196: || (ENABLE_SOFTLIMIT && applet_name[1] == 'o')
> > ...
> > } else {
> > option_mask32 = opt = 0;
> > 215: argv++;
> > }
> >
> > // envdir?
> > if (ENABLE_ENVDIR && applet_name[3] == 'd') {
> > 220: env_dir = *argv++;
> > opt |= OPT_e;
> > }
> > ...
> > 237: if (!*argv)
> > bb_show_usage();
> >
> >
> > Then, argv is incremented twice: once on line 215, and once on line 220.
> > Then, the dereference on line 237 accesses invalid memory.
> > Also, edir(NULL) is called (line 344) which in turn incorrectly calls
> > chdir(NULL).
> >
> > The other calls (setuidgid or envuidgid) are similar. A simple
> > validation that these programs are called w/ the right number of
> > arguments should solve this.
>
> Please try this patch.
> --
> vda
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic