[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH 1/2] Revert "ash: use alloca to get rid of setjmp"
From: Rich Felker <dalias () libc ! org>
Date: 2015-07-26 23:21:26
Message-ID: 20150726232126.GO16376 () brightrain ! aerifal ! cx
[Download RAW message or body]
On Wed, Jul 22, 2015 at 04:02:22PM +0100, Daniel Thompson wrote:
> 2015-07-22 5:19 GMT+02:00 Rich Felker <dalias@libc.org>:
> >On Sun, Jul 19, 2015 at 11:07:13PM +0200, Denys Vlasenko wrote:
> >>I would rather keep it.
> >>
> >>What is the "most horrible" thing which can happen here?
> >
> >Arbitrary code execution due to stack overflow. Does this really need
> >a PoC? alloca is _always_ unsafe unless the argument is bounded and
> >tiny.
>
> It would interesting to know if ash ever automatically runs its
> tokenizer over environment variables.
>
> If the tokenizer can only run on the command stream then there's not
> much to be gained from overflowing the stack since anyone who can
> inject an evil token in to command stream already has shell access.
This is not the case. A counterexample is eval acting on a string
constructed from untrusted input that was already validated to be safe
(e.g. to consist entirely of alphanumeric characters).
Rich
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic