0004684: linux32/linux64/setarch buffer overflows

Denys Vlasenko vda.linux at googlemail.com
Sat Aug 23 22:59:10 UTC 2008


On Friday 22 August 2008 06:26, Cristian Cadar wrote:
> http://bugs.busybox.net/view.php?id=4684
> 
> Test cases:
> <full-path>/linux32 -
> <full-path>/linux64 -
> ./setarch "" ""
> 
> 15: int setarch_main(int argc UNUSED_PARAM, char **argv)
>      {
>               int pers = -1;
>      ...
>      retry:
> 25: if (argv[0][5] == '6') /* linux64 */
>              pers = PER_LINUX;
> 27: else if (argv[0][5] == '3') /* linux32 */
>                pers = PER_LINUX32;
> 29: else if (pers == -1 && argv[1] != NULL) {
>              pers = PER_LINUX32;
> 31: ++argv;
>              goto retry;
>          }
> 
> Consider <full-path>/linux32: one of the root problems is that argv[0]
> can be the full path to the program, so testing argv[0][5] is not always
> meaningful. 
> 
> When <full-path>/linux32 is called, the test on setarch.c:25 fails, as
> does the one on line 27. The one on line 29 succeeds, so argv is
> incremented, and execution jumps back to line 25. Now argv[0] is "-",
> so testing argv[0][5] causes a buffer overflow. The cases for linux64
> and setarch are similar.

Please try attached patch.

> BTW, I noticed there's no help associated with linux32 and linux64. 
> It would be useful to add the help from setarch "Set 32bit uname
> emulation" and "Set 64bit uname emulation" respectively.

I hesitate to do it since this will enlarge the binary
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.patch
Type: text/x-diff
Size: 1621 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20080824/b1776d37/attachment.bin 


More information about the busybox mailing list