[15953] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8671] minor bug in ksu

daemon@ATHENA.MIT.EDU (Tavis Ormandy via RT)
Tue Apr 24 12:13:49 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Tavis Ormandy via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8671@krbdev.mit.edu>
Message-ID: <rt-8671-48420.15.250661657276@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8671'":;
Date: Tue, 24 Apr 2018 12:13:38 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

Hello, I was looking at ksu and noticed this code from
src/clients/ksu/main.c in the 1.16 distribution assumes that argc cannot be
zero, but at least on Linux that is not true - if you pass NULL for argv to
execve(), argc will be zero.

        target_user = xstrdup(argv[1]);
        pargc = argc -1;

        if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){
            com_err(prog_name, errno, _("while allocating memory"));
            exit(1);
        }

        pargv[pargc] = NULL;
        pargv[0] = argv[0];

        for(i =1; i< pargc; i ++){
            pargv[i] = argv[i + 1];
        }
    }

I think this will just crash, because of the strdup(NULL), but if that
succeeds on any platform this code will write NULL to pargv[-1], causing
heap corruption.

(on linux execve("/usr/bin/ksu", NULL, NULL) will make argc zero, if you
want to test)

Thanks, Tavis.

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post