Anonymous | Login | Signup for a new account | 11-10-2008 12:43 PST |
Main | My View | View Issues | Change Log | Docs |
Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
0004684 | [BusyBox] Other | crash | always | 08-21-08 21:18 | 08-23-08 16:16 | ||||
Reporter | cristic | View Status | public | ||||||
Assigned To | BusyBox | ||||||||
Priority | normal | Resolution | fixed | ||||||
Status | closed | Product Version | svn | ||||||
Summary | 0004684: linux32/linux64/setarch buffer overflows | ||||||||
Description |
Test cases: <full-path>/linux32 - <full-path>/linux64 - ./setarch "" "" 15: int setarch_main(int argc UNUSED_PARAM, char **argv) { int pers = -1; ... retry: 25: if (argv[0][5] == '6') /* linux64 */ pers = PER_LINUX; 27: else if (argv[0][5] == '3') /* linux32 */ pers = PER_LINUX32; 29: else if (pers == -1 && argv[1] != NULL) { pers = PER_LINUX32; 31: ++argv; goto retry; } Consider <full-path>/linux32: one of the root problems is that argv[0] can be the full path to the program, so testing argv[0][5] is not always meaningful. When <full-path>/linux32 is called, the test on setarch.c:25 fails, as does the one on line 27. The one on line 29 succeeds, so argv is incremented, and execution jumps back to line 25. Now argv[0] is "-", so testing argv[0][5] causes a buffer overflow. The cases for linux64 and setarch are similar. Thanks, Cristian |
||||||||
Additional Information | |||||||||
Attached Files | |||||||||
|
Copyright © 2000 - 2006 Mantis Group |