On Sat, Oct 16, 1999 at 02:22:02PM +0100, Alan Cox wrote:
>
> I would certainly be interested in an example that caused this.
#include <unistd.h>
#include <errno.h>
#define BADPTR (char *)0x10 /* for example */
int main(int argc, char **argv, char **envp)
{
char *args[7];
int i;
args[0] = "su";
for (i = 1; i < 6; i++) {
args[i] = BADPTR;
}
args[6] = NULL;
execve("/bin/su", args, envp);
printf("%s\n", strerror(errno));
return 1;
}
This program (on my system at least 5 bad arguments are needed) reproducibly
dies with SIGSEGV on 2.2.12. A similarly configured system with kernel 2.0.36
correctly reports EFAULT.
This would not normally be a problem, however... the above program will not
dump core for an ordinary user, only root, which makes me believe that the
fault occurs after the process has gained the root euid from /bin/su.
A gdb trace suggests the usual heap corruption in glibc, which does not
seem to be related to the arguments passed to execve (as long as they
are bad), so I doubt this is exploitable. However it is most likely a bug
somewhere.
Matt
--
Matthew "Austin" Chapman
SysAdmin, Developer, Samba Team Member
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:07:55 PDT