[vamos-dev] [PATCH 1/3] fix literal error warning
Michael Conrad
mconrad at intellitree.com
Mon Sep 10 17:08:00 UTC 2012
On 9/10/2012 12:36 PM, Michael Conrad wrote:
> On 9/10/2012 11:46 AM, Michael Tokarev wrote:
>> On 10.09.2012 19:31, Manuel Zerpies wrote:
>>> Hey guys,
>>>
>>> what about this patch? Is there anyone who can have a look at it?
>>>
>> []
>>>> - bb_perror_msg(filename);
>>>> + bb_perror_msg("%s", filename);
>> Please stop fixing a non-issue. This GCC warning is wrong.
>> This has been discussed several times, and exactly the same
>> patch has been proposed several times too.
>
> Actually, that half of his patch *is* legitimate. It's a bug.
>
> $ ./busybox stat -f "%s"
> stat: (null): No such file or directory
Furthermore, it could potentially be used in an exploit. Suppose
someone has a CGI script that runs "stat -f" on a requested file, and an
attacker can see the error output.
The attacker can inspect the stack using "%d %d %d %d %d %d..." and then
maybe find a suitable pair of integers in the stack for "%.*s", which
could be used to dump out the memory of the busybox process, either to
prepare a different exploit, or to possibly dump environment variables
containing passwords or configuration settings.
Luckily, it only affects SELINUX platforms.
(oh the irony)
More information about the busybox
mailing list