Re: [ Hackerslab bug_paper ] Linux dump buffer overflow

From: Derek Callaway (superat_private)
Date: Wed Mar 01 2000 - 06:58:16 PST

  • Next message: Bronek Kozicki: "Re: IIS dosn't check existance of local file before calling CGI" 

    On Mon, 28 Feb 2000, ±è¿ëÁØ KimYongJun (99Á¹¾÷) wrote:

> [ Hackerslab bug_paper ] Linux dump buffer overflow

<snip>

> 
> [loveyou@loveyou SOURCES]$ dump  -f a `perl -e 'print "x" x 556'`
>   DUMP: Date of this level 0 dump: Mon Feb 28 14:45:01 2000
>   DUMP: Date of last level  dump: the epoch
>   DUMP: Dumping xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to a
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: ÆÄÀÏ À̸§ÀÌ ³Ê¹« ±é´Ï´Ù while opening filesystem
>   DUMP: SIGSEGV: ABORTING!
> Segmentation fault
> 

<snip>

Could this be a problem with glibc, as well? 

[super@white dump]$ pwd
/usr/src/redhat/SOURCES/dump-0.4b4/dump
[super@white dump]$ echo -e "ru -0 `perl -e 'print "A"x5000;'`\nbt" | gdb
dump
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) Starting program: /usr/src/redhat/SOURCES/dump-0.4b4/dump/dump -0
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
<snipped long string>
---Type <return> to continue, or q <return> to quit---Program received
signal SIGSEGV, Segmentation fault.
getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88
88      ../sysdeps/generic/getenv.c: No such file or directory.
(gdb) #0  getenv (name=0x40111a70 "") at ../sysdeps/generic/getenv.c:88
#1  0x400b3f4a in tzset_internal (always=1094795585) at tzset.c:144
#2  0x400b4ceb in __tz_convert (timer=0xbfffd790, use_localtime=1,
    tp=0x4011e4e0) at tzset.c:575
#3  0x400b08bc in localtime (t=0xbfffd790) at localtime.c:43
#4  0x400b07f8 in ctime (t=0xbfffd790) at ctime.c:32
#5  0x804adde in main (argc=1094795585, argv=0x41414141) at main.c:355
(gdb) [super@white dump]$

>From this gdb session, it appears that there _could_ be a problem with
the way that glibc's time functions behave.

--
/* Derek Callaway <superat_private> char *sites[]={"http://www.geekwise.com", 
   Programmer; CE Net, Inc. "http://www.freezersearch.com/index.cfm?aff=dhc",
   (302) 837-8769           "http://www.homeworkhelp.org",0};  S@IRC  */

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:35 PDT