 Relationships |
|
| Anonymous | Login | Signup for a new account | 11-10-2008 12:40 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0004574 | [BusyBox] Other | minor | always | 08-13-08 17:55 | 08-15-08 14:03 | ||||
| Reporter | cristic | View Status | public | ||||||
| Assigned To | BusyBox | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | svn | ||||||
| Summary | 0004574: Invalid read in envdir, invalid read in envdir, setuidgid, envuidgid (2 bugs) | ||||||||
| Description |
./envdir - reads invalid memory. This calls chpst_main(argc=2, argv={"anvdir", "-"}) in chpst.c: 195: if ((ENABLE_CHPST && applet_name[0] == 'c') 196: || (ENABLE_SOFTLIMIT && applet_name[1] == 'o') ) { ... } else { 214: option_mask32 = opt = 0; 215: argv++; } // envdir? 219: if (ENABLE_ENVDIR && applet_name[3] == 'd') { 220: env_dir = *argv++; 221: opt |= OPT_e; } // setuidgid? if (ENABLE_SETUIDGID && applet_name[0] == 's') { 226: set_user = *argv++; opt |= OPT_u; } // envuidgid? 231: if (ENABLE_ENVUIDGID && applet_name[0] == 'e') { 232: env_user = *argv++; opt |= OPT_U; } // we must have PROG [ARGS] 237: if (!*argv) In this code, argv is incremented three times, on lines 215, 220, and 232, so the dereference on line 237 is buggy. On line 232 argv is incremented incorrectly, as the applet name is not envuidgid. The fix has to differentiate between applet_name being envdir or envuidgid. Another bug in the code, which affects all of envdir, setuidgid, envuidgid, is that an argument is required, but this is not enforced. That is, if any of these applications is called w/o any arguments, argv will still be incorrectly incremented past the end of the array on lines 215, 220, or 226. Thanks, Cristian |
||||||||
| Additional Information | |||||||||
| Attached Files | |||||||||
|
|
|||||||||
|
Relationships |
|
|
Notes |
|
|
(0010464) vda 08-15-08 14:03 |
fixed in rev 23086, thanks |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 08-13-08 17:55 | cristic | New Issue | |
| 08-13-08 17:55 | cristic | Status | new => assigned |
| 08-13-08 17:55 | cristic | Assigned To | => BusyBox |
| 08-15-08 14:03 | vda | Status | assigned => closed |
| 08-15-08 14:03 | vda | Note Added: 0010464 | |
| 08-15-08 14:03 | vda | Resolution | open => fixed |
| 08-15-08 14:03 | vda | Fixed in Version | => svn |
| Copyright © 2000 - 2006 Mantis Group |  |
