[vamos-dev] [PATCH 1/3] fix literal error warning

Michael Conrad mconrad at intellitree.com
Mon Sep 10 17:08:00 UTC 2012


On 9/10/2012 12:36 PM, Michael Conrad wrote:
> On 9/10/2012 11:46 AM, Michael Tokarev wrote:
>> On 10.09.2012 19:31, Manuel Zerpies wrote:
>>> Hey guys,
>>>
>>> what about this patch? Is there anyone who can have a look at it?
>>>
>> []
>>>> -            bb_perror_msg(filename);
>>>> +            bb_perror_msg("%s", filename);
>> Please stop fixing a non-issue.  This GCC warning is wrong.
>> This has been discussed several times, and exactly the same
>> patch has been proposed several times too.
>
> Actually, that half of his patch *is* legitimate.  It's a bug.
>
>   $ ./busybox stat -f "%s"
>   stat: (null): No such file or directory

Furthermore, it could potentially be used in an exploit.  Suppose 
someone has a CGI script that runs "stat -f" on a requested file, and an 
attacker can see the error output.

The attacker can inspect the stack using "%d %d %d %d %d %d..." and then 
maybe find a suitable pair of integers in the stack for "%.*s", which 
could be used to dump out the memory of the busybox process, either to 
prepare a different exploit, or to possibly dump environment variables 
containing passwords or configuration settings.

Luckily, it only affects SELINUX platforms.
(oh the irony)



More information about the busybox mailing list