[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: 0004684: linux32/linux64/setarch buffer overflows
From:       Cristian Cadar <cristic () stanford ! edu>
Date:       2008-08-25 6:08:08
Message-ID: 1971317917.40351219644488950.JavaMail.root () zm01 ! stanford ! edu
[Download RAW message or body]

----- "Denys Vlasenko" <vda.linux@googlemail.com> wrote:
> On Friday 22 August 2008 06:26, Cristian Cadar wrote:
> > http://bugs.busybox.net/view.php?id=4684
> > 
> > Test cases:
> > <full-path>/linux32 -
> > <full-path>/linux64 -
> > ./setarch "" ""
> > 
> > 15: int setarch_main(int argc UNUSED_PARAM, char **argv)
> >      {
> >               int pers = -1;
> >      ...
> >      retry:
> > 25: if (argv[0][5] == '6') /* linux64 */
> >              pers = PER_LINUX;
> > 27: else if (argv[0][5] == '3') /* linux32 */
> >                pers = PER_LINUX32;
> > 29: else if (pers == -1 && argv[1] != NULL) {
> >              pers = PER_LINUX32;
> > 31: ++argv;
> >              goto retry;
> >          }
> > 
> > Consider <full-path>/linux32: one of the root problems is that
> argv[0]
> > can be the full path to the program, so testing argv[0][5] is not
> always
> > meaningful. 
> > 
> > When <full-path>/linux32 is called, the test on setarch.c:25 fails,
> as
> > does the one on line 27. The one on line 29 succeeds, so argv is
> > incremented, and execution jumps back to line 25. Now argv[0] is
> "-",
> > so testing argv[0][5] causes a buffer overflow. The cases for
> linux64
> > and setarch are similar.
> 
> Please try attached patch.

Thanks, I tested it and didn't find any other memory errors.

--Cristian
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]