[8511] in bugtraq
Re: [Linux] klogd 1.3-22 buffer overflow
daemon@ATHENA.MIT.EDU (Cory Visi)
Thu Nov 12 13:25:20 1998
Date: Wed, 11 Nov 1998 13:36:35 -0500
Reply-To: Cory Visi <visi@CMU.EDU>
From: Cory Visi <visi@CMU.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.00.9809101023330.545-100000@lcamtuf.ids.pl>
This problem is also present in klogd 1.3-25 which ships with RedHat 5.2.
I'm not sure how exploitable it is, but here's some range checking that
will patch to the latest versions:
--- klogd.c.orig Wed Nov 11 12:47:16 1998
+++ klogd.c Wed Nov 11 13:03:20 1998
@@ -465,6 +465,11 @@
if ( index == 0 )
memset(line, '\0', sizeof(line));
+
+ if (len >= sizeof(line)) {
+ len = sizeof (line) - 1;
+ *(ptr + len) = '\0';
+ }
while (len) {
nl = strpbrk(ptr, "\r\n"); /* Find first line terminator */
I'm not completely happy with this, as it modifies the reference parameter,
ptr, but it will solve the problem. However, later on:
ExpandKadds(line, eline)
Where eline is the same size as line. I think the real solution is to make
sure the buffer is larger (LOG_LINE_LENGTH) like Michal said, and make sure
modules and programs don't generate obsurdly long messages, because you
can't be certain how much room is necessary for the expanded symbols. It
would be nice if ExpandKadds() allocated memory dynamically, but it doesn't.
.-. ,~~-. .-~~-.
~._'_.' \_ \ / `~~-
| `~- \ /
`.__.-'ory \/isi
On Thu, 10 Sep 1998, Michal Zalewski wrote:
-=(>Good morning,
-=(>
-=(>This time - buffer overflow in Linux klogd daemon from sysklogd-1.3
-=(>package (up to release 22 - affects Red Hat 5.x and Slackware 3.x, no data
-=(>about other distributions).
-=(>
-=(>The problem:
-=(>
-=(>Kernel messages are stored in 4 kB cyclic printk ring. Klogd reads this
-=(>buffer using /proc/kmsg to 4 kB long buffer, that's good. But then, data
-=(>is split into lines, by copying data until '\n' is reached. What a pity,
-=(>line buffer is only 1 kB long - sometimes, it's not enough... Exploitable?
-=(>Could be...
-=(>
-=(>Solution:
-=(>
-=(>In klog.c, at the beginning, there are two '#define's. First one is
-=(>responsible for main buffer size - don't change it, 4096 should be ok. The
-=(>next one is line buffer size - hmm, replace 1024 with 4096, for example...
-=(>Or, better, implement some range checking ;>