[12276] in bugtraq
Re: execve bug linux-2.2.12
daemon@ATHENA.MIT.EDU (Matt Chapman)
Tue Oct 19 15:19:40 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991019040629.A2423@cifs.org>
Date: Tue, 19 Oct 1999 04:06:29 +1000
Reply-To: Matt Chapman <matty@CIFS.ORG>
From: Matt Chapman <matty@CIFS.ORG>
X-To: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E11cTmd-0005ta-00@the-village.bc.nu>
On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote:
>
> I would certainly be interested in an example that caused this.
#include <unistd.h>
#include <errno.h>
#define BADPTR (char *)0x10 /* for example */
int main(int argc, char **argv, char **envp)
{
char *args[7];
int i;
args[0] = "su";
for (i = 1; i < 6; i++) {
args[i] = BADPTR;
}
args[6] = NULL;
execve("/bin/su", args, envp);
printf("%s\n", strerror(errno));
return 1;
}
This program (on my system at least 5 bad arguments are needed) reproducibly
dies with SIGSEGV on 2.2.12. A similarly configured system with kernel 2.0.36
correctly reports EFAULT.
This would not normally be a problem, however... the above program will not
dump core for an ordinary user, only root, which makes me believe that the
fault occurs after the process has gained the root euid from /bin/su.
A gdb trace suggests the usual heap corruption in glibc, which does not
seem to be related to the arguments passed to execve (as long as they
are bad), so I doubt this is exploitable. However it is most likely a bug
somewhere.
Matt
--
Matthew "Austin" Chapman
SysAdmin, Developer, Samba Team Member
