Bugtraq mailing list archives
Re: execve bug linux-2.2.12
From: ben () VALINUX COM (ben () VALINUX COM)
Date: Sat, 16 Oct 1999 10:30:29 -0700
Per popular demand here is some more information on the bug I've been
observing. I'm sorry. I wish I had thought to include this in my
original post:
Here is one ltrace fragment where my program only corrupts one of the
parameters:
[pid 578] execv("/bin/grep", 0x7ffffcdc <unfinished ...>
[pid 578] __libc_start_main(0x0804a4e0, 200, 0x7fffb3a4, 0x08048bf4, 0x080516dc <unfinished ...>
[pid 578] --- SIGSEGV (Segmentation fault) ---
[pid 578] +++ killed by SIGSEGV +++
--- SIGCHLD (Child exited) ---
Here is some information from gdb:
(gdb) core-file /tmp/core
Core was generated by `È=>¸> -#/çg_ v
6¿Ej18àHýR
tU {Êúd:ó7&a:Âɳ^Èí
QtÑ:ºëXAôë:W'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_")
at ../sysdeps/generic/getenv.c:88
../sysdeps/generic/getenv.c:88: No such file or directory.
(gdb) bt
#0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_")
at ../sysdeps/generic/getenv.c:88
#1 0x2aae689b in __secure_getenv (name=0x2aba8560 "MALLOC_TRIM_THRESHOLD_")
at secure-getenv.c:29
#2 0x2ab1e2e0 in ptmalloc_init () at malloc.c:1689
#3 0x2aade211 in __libc_preinit (argc=200, argv=0x7fffb3a4, envp=0x7fffb6c8)
at set-init.c:26
#4 0x2aade030 in __libc_start_main (main=0x804a4e0 <strcpy+5500>, argc=200,
argv=0x7fffb3a4, init=0x8048bf4, fini=0x80516dc <strcpy+34680>,
rtld_fini=0x2aab5ad4 <_dl_fini>, stack_end=0x7fffb39c)
at ../sysdeps/generic/libc-start.c:68
(gdb)
This was just one run. There were other runs where more interesting
things happened. There was one in particular where the pointer to init
was corrupted but I haven't been able to reproduce that one yet.
I put the source code for the program I was debugging at the time when
I stumbled into this at:
"ftp://ftp.bastille-linux.org/bastille/broken-fuzz.c.gz";. Note: this
is not a working program!!! Do not take this as a release. I have
since fixed many bugs in it. I coded it up and was in the process of
making it work for the first time when I stumbled across this
problem. Its its current form its only purpose is to demonstrate the
problem that I saw. To trigger the problem simply run the program with
the -ba option and the name of your favorite exectuable. e.g.
"./fuzz -ba grep"
-ben
Current thread:
- PAM applications running as root (Was Re: WebTrends Enterprise Reporting Server) Darren Moffat (Oct 14)
- Re: PAM applications running as root (Was Re: WebTrends Enterprise Alan Cox (Oct 15)
- OpenLink 3.2 Advisory Tymm Twillman (Oct 15)
- execve bug linux-2.2.12 ben () VALINUX COM (Oct 15)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Netscape 4.x buffer overflow Max Vision (Oct 18)
- Re: execve bug linux-2.2.12 Perly (Oct 15)
- Re: execve bug linux-2.2.12 visi0n (Oct 15)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 16)
- Re: execve bug linux-2.2.12 ben () VALINUX COM (Oct 16)
- Re: execve bug linux-2.2.12 Matt Chapman (Oct 18)
- Re: execve bug linux-2.2.12 Taneli Huuskonen (Oct 19)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 20)
- Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
- Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
- CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Richard Trott (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Chad Price (Oct 21)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Gregory A Lundberg (Oct 21)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Remote DoS in Axent's Raptor 6.0 Mike Frantzen (Oct 20)