 Relationships |
|
| Anonymous | Login | Signup for a new account | 11-10-2008 12:43 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0004684 | [BusyBox] Other | crash | always | 08-21-08 21:18 | 08-23-08 16:16 | ||||
| Reporter | cristic | View Status | public | ||||||
| Assigned To | BusyBox | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | svn | ||||||
| Summary | 0004684: linux32/linux64/setarch buffer overflows | ||||||||
| Description |
Test cases: <full-path>/linux32 - <full-path>/linux64 - ./setarch "" "" 15: int setarch_main(int argc UNUSED_PARAM, char **argv) { int pers = -1; ... retry: 25: if (argv[0][5] == '6') /* linux64 */ pers = PER_LINUX; 27: else if (argv[0][5] == '3') /* linux32 */ pers = PER_LINUX32; 29: else if (pers == -1 && argv[1] != NULL) { pers = PER_LINUX32; 31: ++argv; goto retry; } Consider <full-path>/linux32: one of the root problems is that argv[0] can be the full path to the program, so testing argv[0][5] is not always meaningful. When <full-path>/linux32 is called, the test on setarch.c:25 fails, as does the one on line 27. The one on line 29 succeeds, so argv is incremented, and execution jumps back to line 25. Now argv[0] is "-", so testing argv[0][5] causes a buffer overflow. The cases for linux64 and setarch are similar. Thanks, Cristian |
||||||||
| Additional Information | |||||||||
| Attached Files | |||||||||
|
|
|||||||||
|
Relationships |
|
|
Notes |
|
|
(0010624) cristic 08-21-08 21:23 |
Checked "crash" by mistake, but this does not cause a crash. BTW, I noticed there's no help associated with linux32 and linux64. It would be useful to add the help from setarch "Set 32bit uname emulation" and "Set 64bit uname emulation" respectively. |
|
(0010704) vda 08-23-08 16:16 |
fixed in rev 23189, thanks |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 08-21-08 21:18 | cristic | New Issue | |
| 08-21-08 21:18 | cristic | Status | new => assigned |
| 08-21-08 21:18 | cristic | Assigned To | => BusyBox |
| 08-21-08 21:23 | cristic | Note Added: 0010624 | |
| 08-23-08 16:16 | vda | Status | assigned => closed |
| 08-23-08 16:16 | vda | Note Added: 0010704 | |
| 08-23-08 16:16 | vda | Resolution | open => fixed |
| 08-23-08 16:16 | vda | Fixed in Version | => svn |
| Copyright © 2000 - 2006 Mantis Group |  |
