-----BEGIN PGP SIGNED MESSAGE-----
Actually it isn't a buffer overflow at all. Slocate can be crashed with "slocate -r A -c A" as well, no need to feed 1024 A's.
If you had taken a look at the code instead of guessing from gdb backtraces, you could've wound up about here:
int j = optind;
int i = 0;
if (REGEXP)
while (SLOCATE_PATH && (database = SLOCATE_PATH[i++]))
res |= decode_db(database, regexp_opt);
while (j < args) {
/* while ((database = SLOCATE_PATH[i++])) res |= decode_db(database, argv[j++]);
i = 0;
* A Bug fix by Hans-Juergen Godau <godau@wi-inf.uni-essen.de>
* Prevents segfault when using multiple databases */
while (SLOCATE_PATH && (database = SLOCATE_PATH[i++]))
res |= decode_db(database, argv[j]);
i = 0; j += 1;
}
Where you would have noticed that if both a regular expression and normal search arguments are provided, variable i used as an index into SLOCATE_PATH is out of bounds after the regular expression search and thus the next loop will feed random values as string pointers to decode_db(). Which will fail the open, try to report the error and once of a sudden finds itself reading from non-mapped addresses. Which generates a nice protection fault.
So even though you can crash slocate, it is not a trivially exploitable buffer overflow, and it probably isn't exploitable at all.
The bug can be fixed by putting the i = 0; in the second loop before the inner SLOCATE_PATH loop, even though the way options are parsed might be reconsidered as well.
On Thu, 2003-01-30 at 16:02, xbuggyxat_private wrote:
> The exploitation is trivial ,but with libsafe this buffer
> overflow doesn't work:
>
> (gdb) bt
> #0 0x0018fb88 in _IO_vfprintf (s=0xbffff6ec,
> format=0x804c215 "%s: decode_db(): %s: %s\n", ap=0xbffff854)
> at ../sysdeps/i386/i486/bits/string.h:530
> #1 0x0012b47c in _IO_vfprintf () from /lib/libsafe.so.2
> #2 0x001b1304 in _IO_vsnprintf (string=0x8056d28 "slocate: decode_db():
> ", maxlen=4096, format=0x804c215 "%s: decode_db(): %s: %s\n",
> args=0xbffff84c) at vsnprintf.c:130
> #3 0x0012b715 in vsnprintf () from /lib/libsafe.so.2
> #4 0x0804be26 in strcpy ()
> #5 0x0804ab5e in strcpy ()
> #6 0x0804b8e0 in strcpy ()
> #7 0x00154657 in __libc_start_main (main=0x804b340 <strcpy+9116>, argc=5,
> ubp_av=0xbffffad4, init=0x8048c1c <last_use+131884472>,
> fini=0x804bf50 <strcpy+12204>, rtld_fini=0x11dcd4 <_dl_fini>,
> stack_end=0xbffffacc) at ../sysdeps/generic/libc-start.c:129
> (gdb)
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlgEARECABgFAj45hGYRHHRxYUBodXNobWFpbC5jb20ACgkQrEuaaeyMVAUPhQCgoXCA
n2jF4OSj6O+ZIAIdA+/3cWsAn1M61yqKj7EZx2TvzxnoRXtSd8eE
=D37o
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 13:00:22 PST