[BusyBox 0004174]: handle_errors() buffer underflow

bugs at busybox.net bugs at busybox.net
Wed Jul 16 23:11:52 UTC 2008


The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=4174 
====================================================================== 
Reported By:                cristic
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   4174
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             07-16-2008 16:11 PDT
Last Modified:              07-16-2008 16:11 PDT
====================================================================== 
Summary:                    handle_errors() buffer underflow
Description: 
In handle_errors() (libbb/bb_strtonum.c), the line "if (endptr[-1] == '-')"

can lead to a buffer underflow, and the outcome of the branch will
usually
depend on uninitialized memory.  Here is an example that triggers the
bug:

chmod a.b c

This leads to a call to bb_strtoul("a", NULL, 10), which calls
strtoul("a",
&endptr, 10), which will set endptr to point to the beginning of the
buffer
storing "a".  Then endptr is passed to handle_errors() which is illegally
examining endptr[-1]. 

Looking at the code, I was confused about the comment on the "weird"
feature. Is that still needed?  On my libc, calling strtol('-", &endptr,
10) sets endptr as expected to the beginning of the buffer storing "-", so
that particular if statement doesn't seem to be needed at all.

BTW, this bug can be hit by various other tools, here are some other
examples:
kill -l a
printf "% *" B
setuidgid a ""

Thanks,
Cristian

====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-16-08 16:11  cristic        New Issue                                    
07-16-08 16:11  cristic        Status                   new => assigned     
07-16-08 16:11  cristic        Assigned To               => BusyBox         
======================================================================




More information about the busybox-cvs mailing list