Vulnerability Development mailing list archives

Re: Buffer overflow in awk

From: zero <zeroboy () arrakis es>
Date: Sat, 16 Mar 2002 14:04:49 +0100

OpenBSD 3.0

$ awk -f `perl -e 'print "A" x 1022'`

awk: can't open fileAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!

AAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAsource line number 1 source fileAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!

AAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAA

 context is
         >>>  <<<
$


At 03:41 a.m. 15/03/2002 +0000, you wrote:

A buffer overflow exist in awk(named awk on most

systems, but actualy is gawk/GNU awk) when calling

the -f option, to include an awk script, and supplying a

filename with a buffer length of 1022 and up.





[root@neural keoki]# awk -f `perl -e 'print "A" x 1022'`

awk: fatal error: internal error

Abort (core dumped)

[root@neural keoki]# awk -f `perl -e 'print "A" x 2048'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAA: fatal error: internal error

Abort (core dumped)

[root@neural keoki]#



The bug exist in io.c in function do_pathopen



/* do_pathopen --- search $AWKPATH for source file

*/



static int

do_pathopen(file)

const char *file;

{

static const char *savepath = NULL;

static int first = TRUE;

const char *awkpath;

char *cp, trypath[BUFSIZ];

int fd;



if (STREQ(file, "-"))

return (0);



if (do_traditional)

return (devopen(file, "r"));



if (first) {

first = FALSE;

if ((awkpath = getenv("AWKPATH")) !=

NULL && *awkpath)

savepath = awkpath; /* used for

restarting */

else

savepath = defpath;

}

awkpath = savepath;



/* some kind of path name, no search */

if (ispath(file))

return (devopen(file, "r"));



do {

trypath[0] = '\0';





/* this should take into account limits on size of

trypath */

for (cp = trypath; *awkpath && *awkpath !=

envsep; )

*cp++ = *awkpath++;



if (cp != trypath) { /* nun-null element in

path */

/* add directory punctuation only if

needed */

if (! isdirpunct(*(cp-1)))

*cp++ = '/';

/* append filename */

strcpy(cp, file);

} else

strcpy(trypath, file);

if ((fd = devopen(trypath, "r")) >

INVALID_HANDLE)

return (fd);



/* no luck, keep going */

if(*awkpath == envsep && awkpath[1] !

= '\0')

awkpath++; /* skip colon */

} while (*awkpath != '\0');

/*

* You might have one of the awk paths defined,

WITHOUT the current

* working directory in it. Therefore try to open

the file in the

* current directory.

*/

return (devopen(file, "r"));



}





It can also be crashed with an env variable as follows



[root@neural keoki]# env AWKPATH=`perl -

e 'print "A" x 2048'` awk -f xx

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAA/e/keoki: fatal error: internal error

Abort (core dumped)

[root@neural keoki]#







This was tested on FreeBSD platform(fbsd 4.0 &&

4.4) against awk(which is actually gnu awk) versions

3.0.6 && 3.0.4



[root@neural keoki]# awk -W version | sed -n '1p'

GNU Awk 3.0.6

[root@neural keoki]#



[root@keoki][~]# awk -W version | sed -n '1p'

GNU Awk 3.0.4

[root@keoki][~]#





This was also tested on caldera and mandrake, and

worked, but using a significantly higher buffer length.





Shouts: aho, weinberger, kernighan and #ch0wn





-- keoki

-- keoki () techie com

-- http://sleek.cyberarmy.com


mailto:zeroboy () arrakis es
http://www.podergeek.com
http://www.citfi.org
**************************************************

"The further backward you look, the further forward you can see" WinstonChurchill

 "Para ganar, hay gente que debe perder"

Current thread:

Re: Buffer overflow in awk, (continued)
- Re: Buffer overflow in awk Enphourell Security (Mar 19)
- RE: Buffer overflow in awk Mike Batchelder (Mar 15)
  - Re: Buffer overflow in awk sekure (Mar 15)
    - Re: Buffer overflow in awk Kurt Seifried (Mar 15)
    - Re: Buffer overflow in awk Pavel Kankovsky (Mar 17)
    - Re: Buffer overflow in awk Jeff Fields (Mar 19)
    - Re: Buffer overflow in awk Jirka Kosina (Mar 20)
    - Re: Buffer overflow in awk nilton . gs . sc (Mar 15)
    - Re: Buffer overflow in awk Rui Miguel Silva Seabra (Mar 15)
- RE: Buffer overflow in awk dong-h0un U (Mar 15)
- Re: Buffer overflow in awk zero (Mar 16)
  - Re: Buffer overflow in awk Crist J. Clark (Mar 17)
  - Re: Buffer overflow in awk Jose Nazario (Mar 18)
- RE: Buffer overflow in awk Kosh Naranek (Mar 17)
  - RE: Buffer overflow in awk Hani Mustafa (Mar 24)
    - Re: Buffer overflow in awk Elan Hasson (Mar 24)
    - Re: Buffer overflow in awk Tim Gerritsen (Mar 24)
    - Re: Buffer overflow in awk Replugge [ROD] (Mar 25)