oss-sec mailing list archives
Re: hardlink(1) has buffer overflows, is unsafe on changing trees
From: Solar Designer <solar () openwall com>
Date: Sat, 22 Oct 2011 04:56:21 +0400
On Fri, Oct 21, 2011 at 03:29:41PM +0530, Huzaifa Sidhpurwala wrote:
On 10/20/2011 08:27 PM, Josh Bressers wrote:The hardlink(1) program from Fedora is susceptible to buffer overflows of fixed-size nambuf1 and nambuf2 buffers when run on a tree with deeply nested directories and/or with long directory or file names. I was able to reproduce the problem (got a segfault) by running the program on a directory containing 20 nested directories with 250-character names.CVE-2011-3630 hardlink buffer overflows https://bugzilla.redhat.com/show_bug.cgi?id=746709FORTIFY_SOURCE should really be able to catch this buffer overflow. The buffer being overflown here in in BSS, But strcat() is used to append to this buffer and __builtin___strcat_chk catches it, resulting in the program being terminated.
Besides the strcpy() and strcat() with obviously known target buffer size, there are also: strcpy (stpcpy (nambuf2, n2), ".$$$___cleanit___$$$"); and: strcpy (p, di->d_name); where "p" points somewhere inside nambuf1. These will just need different reproducers. Alexander
Current thread:
- hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 15)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Josh Bressers (Oct 20)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 23)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Josh Bressers (Oct 20)