0004684: linux32/linux64/setarch buffer overflows
Cristian Cadar
cristic at stanford.edu
Mon Aug 25 06:08:08 UTC 2008
----- "Denys Vlasenko" <vda.linux at googlemail.com> wrote:
> On Friday 22 August 2008 06:26, Cristian Cadar wrote:
> > http://bugs.busybox.net/view.php?id=4684
> >
> > Test cases:
> > <full-path>/linux32 -
> > <full-path>/linux64 -
> > ./setarch "" ""
> >
> > 15: int setarch_main(int argc UNUSED_PARAM, char **argv)
> > {
> > int pers = -1;
> > ...
> > retry:
> > 25: if (argv[0][5] == '6') /* linux64 */
> > pers = PER_LINUX;
> > 27: else if (argv[0][5] == '3') /* linux32 */
> > pers = PER_LINUX32;
> > 29: else if (pers == -1 && argv[1] != NULL) {
> > pers = PER_LINUX32;
> > 31: ++argv;
> > goto retry;
> > }
> >
> > Consider <full-path>/linux32: one of the root problems is that
> argv[0]
> > can be the full path to the program, so testing argv[0][5] is not
> always
> > meaningful.
> >
> > When <full-path>/linux32 is called, the test on setarch.c:25 fails,
> as
> > does the one on line 27. The one on line 29 succeeds, so argv is
> > incremented, and execution jumps back to line 25. Now argv[0] is
> "-",
> > so testing argv[0][5] causes a buffer overflow. The cases for
> linux64
> > and setarch are similar.
>
> Please try attached patch.
Thanks, I tested it and didn't find any other memory errors.
--Cristian
More information about the busybox
mailing list