Re: tcsh overflow

[phr () DOC IC AC UK (Philip Rowlands)]

arkth wrote:
> While few days ago there was discussion about bash overflow on bugtraq i
> found another overflow in tcsh-6.07.09-1 [ rh 5.2 ].
> The problem is in too long $HOME evironment variable [ very old thing -
> zgv overflow ]. I don't know if it's a dangerous problem, but like someone
> said this shell can be used in some kind of script with SUID, etc.

> From the tcsh changelog:

 93. V6.07.12 - 19980918
  90. Avoid buffer overflows in directory code (kim)

Looks like the fault you found was fixed in 6.07.12

However, I tried the "exploit" given using tcsh 6.08.04, and found that
tcsh still crashes, but this time with a SIGABRT rather than SIGSEGV.

Checking in the source shows:

 /*
  * kim: if the path given is too long abort().
  */
    if (Strlen(cp) >= MAXPATHLEN)
        abort();

i.e. this behaviour is hard coded in deliberately.

This is the stacktrace from GDB:

(gdb) bt
#0  0x40097781 in __kill ()
#1  0x400975af in raise (sig=6) at ../sysdeps/posix/raise.c:27
#2  0x400987bf in abort () at ../sysdeps/generic/abort.c:83
#3  0x804db5b in dcanon (cp=0x80aa808, p=0x80aa808) at sh.dir.c:829
#4  0x80553f5 in dosetenv (v=0x80b2a08, c=0x80b3fc8) at sh.func.c:1402
#5  0x8053c3e in func (t=0x80b3fc8, bp=0x80815d0) at sh.func.c:141
#6  0x805f677 in execute (t=0x80b3fc8, wanttty=22898, pipein=0x0,
pipeout=0x0)
    at sh.sem.c:642
#7  0x805f831 in execute (t=0x80b3fa8, wanttty=22898, pipein=0x0,
pipeout=0x0)
    at sh.sem.c:719
#8  0x804c1ac in process (catch=1) at sh.c:2094
#9  0x804b440 in main (argc=0, argv=0xbffff568) at sh.c:1312



Phil