0004684: linux32/linux64/setarch buffer overflows
Denys Vlasenko
vda.linux at googlemail.com
Sat Aug 23 22:59:10 UTC 2008
On Friday 22 August 2008 06:26, Cristian Cadar wrote:
> http://bugs.busybox.net/view.php?id=4684
>
> Test cases:
> <full-path>/linux32 -
> <full-path>/linux64 -
> ./setarch "" ""
>
> 15: int setarch_main(int argc UNUSED_PARAM, char **argv)
> {
> int pers = -1;
> ...
> retry:
> 25: if (argv[0][5] == '6') /* linux64 */
> pers = PER_LINUX;
> 27: else if (argv[0][5] == '3') /* linux32 */
> pers = PER_LINUX32;
> 29: else if (pers == -1 && argv[1] != NULL) {
> pers = PER_LINUX32;
> 31: ++argv;
> goto retry;
> }
>
> Consider <full-path>/linux32: one of the root problems is that argv[0]
> can be the full path to the program, so testing argv[0][5] is not always
> meaningful.
>
> When <full-path>/linux32 is called, the test on setarch.c:25 fails, as
> does the one on line 27. The one on line 29 succeeds, so argv is
> incremented, and execution jumps back to line 25. Now argv[0] is "-",
> so testing argv[0][5] causes a buffer overflow. The cases for linux64
> and setarch are similar.
Please try attached patch.
> BTW, I noticed there's no help associated with linux32 and linux64.
> It would be useful to add the help from setarch "Set 32bit uname
> emulation" and "Set 64bit uname emulation" respectively.
I hesitate to do it since this will enlarge the binary
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.patch
Type: text/x-diff
Size: 1621 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20080824/b1776d37/attachment.bin
More information about the busybox
mailing list