Bugtraq mailing list archives
Re: execve bug linux-2.2.12
From: ben () VALINUX COM (ben () VALINUX COM)
Date: Sat, 16 Oct 1999 10:30:29 -0700
Per popular demand here is some more information on the bug I've been observing. I'm sorry. I wish I had thought to include this in my original post: Here is one ltrace fragment where my program only corrupts one of the parameters: [pid 578] execv("/bin/grep", 0x7ffffcdc <unfinished ...> [pid 578] __libc_start_main(0x0804a4e0, 200, 0x7fffb3a4, 0x08048bf4, 0x080516dc <unfinished ...> [pid 578] --- SIGSEGV (Segmentation fault) --- [pid 578] +++ killed by SIGSEGV +++ --- SIGCHLD (Child exited) --- Here is some information from gdb: (gdb) core-file /tmp/core Core was generated by `È=>¸> -#/çg_ v6¿Ej18àHýRtU {Êúd:ó7&a:Âɳ^ÈíQtÑ:ºëXAôë:W'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.6...done. Reading symbols from /lib/ld-linux.so.2...done. #0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_") at ../sysdeps/generic/getenv.c:88 ../sysdeps/generic/getenv.c:88: No such file or directory. (gdb) bt #0 0x2aae60f6 in getenv (name=0x2aba8562 "LLOC_TRIM_THRESHOLD_") at ../sysdeps/generic/getenv.c:88 #1 0x2aae689b in __secure_getenv (name=0x2aba8560 "MALLOC_TRIM_THRESHOLD_") at secure-getenv.c:29 #2 0x2ab1e2e0 in ptmalloc_init () at malloc.c:1689 #3 0x2aade211 in __libc_preinit (argc=200, argv=0x7fffb3a4, envp=0x7fffb6c8) at set-init.c:26 #4 0x2aade030 in __libc_start_main (main=0x804a4e0 <strcpy+5500>, argc=200, argv=0x7fffb3a4, init=0x8048bf4, fini=0x80516dc <strcpy+34680>, rtld_fini=0x2aab5ad4 <_dl_fini>, stack_end=0x7fffb39c) at ../sysdeps/generic/libc-start.c:68 (gdb) This was just one run. There were other runs where more interesting things happened. There was one in particular where the pointer to init was corrupted but I haven't been able to reproduce that one yet. I put the source code for the program I was debugging at the time when I stumbled into this at: "ftp://ftp.bastille-linux.org/bastille/broken-fuzz.c.gz". Note: this is not a working program!!! Do not take this as a release. I have since fixed many bugs in it. I coded it up and was in the process of making it work for the first time when I stumbled across this problem. Its its current form its only purpose is to demonstrate the problem that I saw. To trigger the problem simply run the program with the -ba option and the name of your favorite exectuable. e.g. "./fuzz -ba grep" -ben
Current thread:
- PAM applications running as root (Was Re: WebTrends Enterprise Reporting Server) Darren Moffat (Oct 14)
- Re: PAM applications running as root (Was Re: WebTrends Enterprise Alan Cox (Oct 15)
- OpenLink 3.2 Advisory Tymm Twillman (Oct 15)
- execve bug linux-2.2.12 ben () VALINUX COM (Oct 15)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Netscape 4.x buffer overflow Max Vision (Oct 18)
- Re: execve bug linux-2.2.12 Perly (Oct 15)
- Re: execve bug linux-2.2.12 visi0n (Oct 15)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 16)
- Re: execve bug linux-2.2.12 ben () VALINUX COM (Oct 16)
- Re: execve bug linux-2.2.12 Matt Chapman (Oct 18)
- Re: execve bug linux-2.2.12 Taneli Huuskonen (Oct 19)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 20)
- Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
- Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
- CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Richard Trott (Oct 20)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Chad Price (Oct 21)
- Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Gregory A Lundberg (Oct 21)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Remote DoS in Axent's Raptor 6.0 Mike Frantzen (Oct 20)