On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote: > > I would certainly be interested in an example that caused this. #include <unistd.h> #include <errno.h> #define BADPTR (char *)0x10 /* for example */ int main(int argc, char **argv, char **envp) { char *args[7]; int i; args[0] = "su"; for (i = 1; i < 6; i++) { args[i] = BADPTR; } args[6] = NULL; execve("/bin/su", args, envp); printf("%s\n", strerror(errno)); return 1; } This program (on my system at least 5 bad arguments are needed) reproducibly dies with SIGSEGV on 2.2.12. A similarly configured system with kernel 2.0.36 correctly reports EFAULT. This would not normally be a problem, however... the above program will not dump core for an ordinary user, only root, which makes me believe that the fault occurs after the process has gained the root euid from /bin/su. A gdb trace suggests the usual heap corruption in glibc, which does not seem to be related to the arguments passed to execve (as long as they are bad), so I doubt this is exploitable. However it is most likely a bug somewhere. Matt -- Matthew "Austin" Chapman SysAdmin, Developer, Samba Team Member
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:55 PDT