oss-sec mailing list archives
Re: hardlink(1) has buffer overflows, is unsafe on changing trees
From: Solar Designer <solar () openwall com>
Date: Sat, 22 Oct 2011 05:19:03 +0400
On Sat, Oct 22, 2011 at 04:56:21AM +0400, Solar Designer wrote:
strcpy (p, di->d_name); where "p" points somewhere inside nambuf1. These will just need different reproducers.
Actually, I think my proposed reproducer (many nested 250-char dirs) triggers this one and not the strcat(). On one build, hardlink then crashes after dereferencing the "dirs" pointer, which happens to be overwritten with a directory name. On another build (different gcc version and arch), hardlink does not crash (although I think it would on even more nested directories), but reports a ridiculous directory count (so "ndirs" is overwritten). -D_FORTIFY_SOURCE=2 didn't make a difference here (different program binary, same observed behavior). Alexander
Current thread:
- hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 15)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Josh Bressers (Oct 20)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Solar Designer (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 23)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Huzaifa Sidhpurwala (Oct 21)
- Re: hardlink(1) has buffer overflows, is unsafe on changing trees Josh Bressers (Oct 20)