-----BEGIN PGP SIGNED MESSAGE----- Apparently the Linux execve( ) bug is caused by the failure of copy_strings( ) in /usr/src/linux/fs/exec.c to check the return value of strlen_user( ). On error, strlen_user( ) returns zero, and copy_strings( ) blithely copies zero bytes to the argument table of the programme to be execve( )'d, thus effectively removing any bad pointers from argv. The problem is that argc is not updated, so the missing arguments are taken from the environment string table, and the missing environment strings from whatever happens to be at the top of memory after the string table. When that is exhausted, the rest of the environment pointers point to the end of memory, which causes the SEGV's people have been observing. I don't see any possible way this bug could affect security, however. Taneli Huuskonen -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQB1AwUBOA1dkgUw3ir1nvhZAQE0XwL/WqVme0f2OzI39Wu4O+tcj3eIqFMS80lc IjdaSoiTJmY//n3ku9aaNip+oshorXke/a0LS1peRm+0ZRHv7ir9XXdZIO/9EGFz 2pVPMRxLK+51OxBdn1v213s3rJN/X4w0 =FmvN -----END PGP SIGNATURE----- -- I don't | All messages will be PGP signed, | Fight for your right to speak for | encrypted mail preferred. Keys: | use sealed envelopes. the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:09 PDT