Bugtraq mailing list archives
Re: [Linux] klogd 1.3-22 buffer overflow
From: visi () CMU EDU (Cory Visi)
Date: Wed, 11 Nov 1998 13:36:35 -0500
This problem is also present in klogd 1.3-25 which ships with RedHat 5.2. I'm not sure how exploitable it is, but here's some range checking that will patch to the latest versions: --- klogd.c.orig Wed Nov 11 12:47:16 1998 +++ klogd.c Wed Nov 11 13:03:20 1998 @@ -465,6 +465,11 @@ if ( index == 0 ) memset(line, '\0', sizeof(line)); + + if (len >= sizeof(line)) { + len = sizeof (line) - 1; + *(ptr + len) = '\0'; + } while (len) { nl = strpbrk(ptr, "\r\n"); /* Find first line terminator */ I'm not completely happy with this, as it modifies the reference parameter, ptr, but it will solve the problem. However, later on: ExpandKadds(line, eline) Where eline is the same size as line. I think the real solution is to make sure the buffer is larger (LOG_LINE_LENGTH) like Michal said, and make sure modules and programs don't generate obsurdly long messages, because you can't be certain how much room is necessary for the expanded symbols. It would be nice if ExpandKadds() allocated memory dynamically, but it doesn't. .-. ,~~-. .-~~-. ~._'_.' \_ \ / `~~- | `~- \ / `.__.-'ory \/isi On Thu, 10 Sep 1998, Michal Zalewski wrote: -=(>Good morning, -=(> -=(>This time - buffer overflow in Linux klogd daemon from sysklogd-1.3 -=(>package (up to release 22 - affects Red Hat 5.x and Slackware 3.x, no data -=(>about other distributions). -=(> -=(>The problem: -=(> -=(>Kernel messages are stored in 4 kB cyclic printk ring. Klogd reads this -=(>buffer using /proc/kmsg to 4 kB long buffer, that's good. But then, data -=(>is split into lines, by copying data until '\n' is reached. What a pity, -=(>line buffer is only 1 kB long - sometimes, it's not enough... Exploitable? -=(>Could be... -=(> -=(>Solution: -=(> -=(>In klog.c, at the beginning, there are two '#define's. First one is -=(>responsible for main buffer size - don't change it, 4096 should be ok. The -=(>next one is line buffer size - hmm, replace 1024 with 4096, for example... -=(>Or, better, implement some range checking ;>
Current thread:
- WWWBoard Vulnerability Samuel Sparling (Nov 09)
- [Linux] klogd 1.3-22 buffer overflow Michal Zalewski (Sep 10)
- catdoc-0.90 buffer overruns Duncan Simpson (Nov 10)
- Re: catdoc-0.90 buffer overruns Kragen (Nov 12)
- Re: klogd 1.3-22 buffer overflow Neil Bright (Nov 11)
- Re: klogd 1.3-22 buffer overflow Peter van Dijk (Nov 11)
- Re: [Linux] klogd 1.3-22 buffer overflow Cory Visi (Nov 11)
- Re: [Linux] klogd 1.3-22 buffer overflow Martin Schulze (Nov 17)
- Re: [Linux] klogd 1.3-22 buffer overflow Michal Zalewski (Sep 12)
- Re: [Linux] klogd 1.3-22 buffer overflow security () PENGUIN NET AU (Nov 17)
- Update to Microsoft Security Bulletin (MS98-015) Aleph One (Nov 18)
- Multiple KDE security vulnerabilities (root compromise) David G. Andersen (Nov 18)
- Sun Security Bulletin #00179 Aleph One (Nov 18)
- Re: Sun Security Bulletin #00179 Jonathan A. Zdziarski (Nov 19)
- catdoc-0.90 buffer overruns Duncan Simpson (Nov 10)
- [Linux] klogd 1.3-22 buffer overflow Michal Zalewski (Sep 10)
- Re: WWWBoard Vulnerability Spartak Radchenko (Nov 10)
- Re: WWWBoard Vulnerability Samuel Sparling (Nov 10)
- world-readable shadow backups in SuSe 5.2 HD Moore (Nov 10)