Vulnerability Development mailing list archives
Re: [Fwd: Help needed with bufferoverflow in cvs]
From: "Crist J. Clark" <crist.clark () attbi com>
Date: Fri, 22 Feb 2002 10:53:09 -0800
[The crossposting seems to have gotten out of control somewhere along the line. Some CCs changed to BCCs since it is getting off topic.] On Fri, Feb 22, 2002 at 01:01:36PM -0500, Donald Sharp wrote: [snip]
I have insufficient memory. But why would you expect this to be a security hole?
I don't really expect it to be one. It looks like it would be tough to exploit. Here is where things are supposed to be faulting in diff/analyze.c, 425 p = (int *) xmalloc (filevec[0].equiv_max * (2 * sizeof (int))); 426 equiv_count[0] = p; 427 equiv_count[1] = p + filevec[0].equiv_max; 428 bzero (p, filevec[0].equiv_max * (2 * sizeof (int))); 429 430 for (i = 0; i < filevec[0].buffered_lines; ++i) 431 ++equiv_count[0][filevec[0].equivs[i]]; 432 for (i = 0; i < filevec[1].buffered_lines; ++i) 433 ++equiv_count[1][filevec[1].equivs[i]]; At 431 in my case. We are actually messing with memory we shouldn't be, but we are not writing arbitrary data to memory, we're incrementing with integer addition, and not in a location that looks easy to manipulate. But getting to the bug stomping, the equivs_max structure memeber, should not be less than equivs[0], (gdb) run -f diff -C111111111111 /export/stable/src/sys/netinet/ip_fw.c Starting program: /var/tmp/export/stable/src/gnu/usr.bin/cvs/cvs/cvs -f diff -C111111111111 /export/stable/src/sys/netinet/ip_fw.c Index: /export/stable/src/sys/netinet/ip_fw.c =================================================================== RCS file: /export/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.131.2.31 diff -C111111111111 -r1.131.2.31 ip_fw.c Program received signal SIGSEGV, Segmentation fault. 0x8099b7e in discard_confusing_lines (filevec=0xbfbff38c) at /export/stable/src/gnu/usr.bin/cvs/libdiff/../../../../contrib/cvs/diff/analyze.c:431 (gdb) p filevec[0].equiv_max $4 = 694 (gdb) p filevec[0].buffered_lines $5 = 939 (gdb) p filevec[0].equivs[i] $6 = 135420989 (gdb) -- Crist J. Clark | cjclark () alum mit edu | cjclark () jhu edu http://people.freebsd.org/~cjc/ | cjc () freebsd org
Current thread:
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Tollef Fog Heen (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Turbo Fredriksson (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Donald Sharp (Feb 22)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 23)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Tollef Fog Heen (Feb 21)