Re: [Linux] klogd 1.3-22 buffer overflow

From: Cory Visi (visiat_private)
Date: Wed Nov 11 1998 - 10:36:35 PST

Next message: Jesús Cea Avión: "Re: Xinetd /tmp race?"

Previous message: Alan Cox: "Re: [Fwd: NOTE: Solaris 7 gotcha for some ultras]"
Next in thread: Martin Schulze: "Re: [Linux] klogd 1.3-22 buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This problem is also present in klogd 1.3-25 which ships with RedHat 5.2.
I'm not sure how exploitable it is, but here's some range checking that
will patch to the latest versions:

--- klogd.c.orig        Wed Nov 11 12:47:16 1998
+++ klogd.c     Wed Nov 11 13:03:20 1998
@@ -465,6 +465,11 @@

        if ( index == 0 )
                memset(line, '\0', sizeof(line));
+
+        if (len >= sizeof(line)) {
+                len = sizeof (line) - 1;
+                *(ptr + len) = '\0';
+        }

        while (len) {
                nl = strpbrk(ptr, "\r\n"); /* Find first line terminator */

I'm not completely happy with this, as it modifies the reference parameter,
ptr, but it will solve the problem. However, later on:

ExpandKadds(line, eline)

Where eline is the same size as line. I think the real solution is to make
sure the buffer is larger (LOG_LINE_LENGTH) like Michal said, and make sure
modules and programs don't generate obsurdly long messages,  because you
can't be certain how much room is necessary for the expanded symbols. It
would be nice if ExpandKadds() allocated memory dynamically, but it doesn't.

     .-.        ,~~-.      .-~~-.
 ~._'_.'        \_   \    /      `~~-
   |              `~- \  /
   `.__.-'ory          \/isi

On Thu, 10 Sep 1998, Michal Zalewski wrote:

-=(>Good morning,
-=(>
-=(>This time - buffer overflow in Linux klogd daemon from sysklogd-1.3
-=(>package (up to release 22 - affects Red Hat 5.x and Slackware 3.x, no data
-=(>about other distributions).
-=(>
-=(>The problem:
-=(>
-=(>Kernel messages are stored in 4 kB cyclic printk ring. Klogd reads this
-=(>buffer using /proc/kmsg to 4 kB long buffer, that's good. But then, data
-=(>is split into lines, by copying data until '\n' is reached. What a pity,
-=(>line buffer is only 1 kB long - sometimes, it's not enough... Exploitable?
-=(>Could be...
-=(>
-=(>Solution:
-=(>
-=(>In klog.c, at the beginning, there are two '#define's. First one is
-=(>responsible for main buffer size - don't change it, 4096 should be ok. The
-=(>next one is line buffer size - hmm, replace 1024 with 4096, for example...
-=(>Or, better, implement some range checking ;>

Next message: Jesús Cea Avión: "Re: Xinetd /tmp race?"
Previous message: Alan Cox: "Re: [Fwd: NOTE: Solaris 7 gotcha for some ultras]"
Next in thread: Martin Schulze: "Re: [Linux] klogd 1.3-22 buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:56 PDT