[12262] in bugtraq
Re: execve bug linux-2.2.12
daemon@ATHENA.MIT.EDU (ben@VALINUX.COM)
Mon Oct 18 13:43:47 1999
Message-Id: <199910161730.KAA00720@trill.valinux.com>
Date: Sat, 16 Oct 1999 10:30:29 -0700
Reply-To: ben@VALINUX.COM
From: ben@VALINUX.COM
X-To: Alan Cox <alan@lxorguk.ukuu.org.uk>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Sat, 16 Oct 1999 14:22:02 BST."
<E11cTmd-0005ta-00@the-village.bc.nu>
Per popular demand here is some more information on the bug I've been
observing. I'm sorry. I wish I had thought to include this in my
original post:
Here is one ltrace fragment where my program only corrupts one of the
parameters:
[pid 578] execv("/bin/grep", 0x7ffffcdc <unfinished ...>
[pid 578] __libc_start_main(0x0804a4e0, 200, 0x7fffb3a4, 0x08048bf4, 0x080516dc <unfinished ...>
[pid 578] --- SIGSEGV (Segmentation fault) ---
[pid 578] +++ killed by SIGSEGV +++
--- SIGCHLD (Child exited) ---
Here is some information from gdb:
(gdb) core-file /tmp/core
Core was generated by `H=���>��8>�� -#�/gg_ v�6?Ej1�8`�H�}R�t�U {�Jz�d:s7&a��:BI3^Hm��QtQ:�:k
X��Atk:W'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_")
at ../sysdeps/generic/getenv.c:88
../sysdeps/generic/getenv.c:88: No such file or directory.
(gdb) bt
#0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_")
at ../sysdeps/generic/getenv.c:88
#1 0x2aae689b in __secure_getenv (name=0x2aba8560 "MALLOC_TRIM_THRESHOLD_")
at secure-getenv.c:29
#2 0x2ab1e2e0 in ptmalloc_init () at malloc.c:1689
#3 0x2aade211 in __libc_preinit (argc=200, argv=0x7fffb3a4, envp=0x7fffb6c8)
at set-init.c:26
#4 0x2aade030 in __libc_start_main (main=0x804a4e0 <strcpy+5500>, argc=200,
argv=0x7fffb3a4, init=0x8048bf4, fini=0x80516dc <strcpy+34680>,
rtld_fini=0x2aab5ad4 <_dl_fini>, stack_end=0x7fffb39c)
at ../sysdeps/generic/libc-start.c:68
(gdb)
This was just one run. There were other runs where more interesting
things happened. There was one in particular where the pointer to init
was corrupted but I haven't been able to reproduce that one yet.
I put the source code for the program I was debugging at the time when
I stumbled into this at:
"ftp://ftp.bastille-linux.org/bastille/broken-fuzz.c.gz". Note: this
is not a working program!!! Do not take this as a release. I have
since fixed many bugs in it. I coded it up and was in the process of
making it work for the first time when I stumbled across this
problem. Its its current form its only purpose is to demonstrate the
problem that I saw. To trigger the problem simply run the program with
the -ba option and the name of your favorite exectuable. e.g.
"./fuzz -ba grep"
-ben
