0004574: Invalid read in envdir, invalid read in envdir, setuidgid, envuidgid (2 bugs)

Cristian Cadar cristic at stanford.edu
Thu Aug 14 01:19:58 UTC 2008


Reported at: http://bugs.busybox.net/view.php?id=4574

./envdir -
reads invalid memory.

This calls chpst_main(argc=2, argv={"envdir", "-"}) in chpst.c:

195:	if ((ENABLE_CHPST && applet_name[0] == 'c')
196:	 || (ENABLE_SOFTLIMIT && applet_name[1] == 'o')
	) {
...
	} else {
214:		option_mask32 = opt = 0;
215:		argv++;
	}

	// envdir?
219:	if (ENABLE_ENVDIR && applet_name[3] == 'd') {
220:		env_dir = *argv++;
221:		opt |= OPT_e;
	}

	// setuidgid?
	if (ENABLE_SETUIDGID && applet_name[0] == 's') {
226:		set_user = *argv++;
		opt |= OPT_u;
	}

	// envuidgid?
231:	if (ENABLE_ENVUIDGID && applet_name[0] == 'e') {
232:		env_user = *argv++;
		opt |= OPT_U;
	}

	// we must have PROG [ARGS]
237:	if (!*argv)


In this code, argv is incremented three times, on lines 215, 220, and
232, so the dereference on line 237 is buggy.  On line 232 argv is
incremented incorrectly, as the applet name is not envuidgid.  The fix
has to differentiate between applet_name being envdir or envuidgid.

Another bug in the code, which affects all of envdir, setuidgid,
envuidgid, is that an argument is required, but this is not enforced.
That is, if any of these applications is called w/o any arguments, argv
will still be incorrectly incremented past the end of the array on lines
215, 220, or 226, and later dereferenced on line 237.

Thanks,
Cristian




More information about the busybox mailing list