This is the mail archive of the
cygwin-patches@cygwin.com
mailing list for the Cygwin project.
Re: [Patch] Fix buffer overflow in kill utility
- From: Christopher Faylor <cgf-no-personal-reply-please at cygwin dot com>
- To: cygwin-patches at cygwin dot com
- Date: Sat, 26 Feb 2005 22:03:23 -0500
- Subject: Re: [Patch] Fix buffer overflow in kill utility
- References: <422133BC.62A176E1@dessent.net>
- Reply-to: cygwin-patches at cygwin dot com
On Sat, Feb 26, 2005 at 06:43:08PM -0800, Brian Dessent wrote:
>
>In kill.cc there exists the possibility to overflow the "char buf[80]"
>array by supplying malformed command line arguments.
>
>An attacker could use this to overwrite the return value on the stack
>and execute arbitrary code, but the amount of space available on the
>stack for shellcode is approx 108 bytes so you'd have to be mighty
>creative to do anything significant with it. A far-fetched scenario
>might be some kind of perl or other CGI script running under Apache that
>somehow allows a user-specified signal name to reach the command line of
>/bin/kill. Emphasis on the "far-fetched" part though.
>
>Example:
>
>$ /bin/kill -s `perl -e 'print "A"x200'`
>Segmentation fault (core dumped)
>
>As far as I can tell from CVS history this has existed in kill.cc since
>its first version (~5 years.) Trivial patch below.
>
>2005-02-26 Brian Dessent <brian@dessent.net>
>
> * kill.cc (getsig): Use snprintf to prevent overflowing `buf'.
Thanks for the patch.
Call me old-fashioned, but my first inclination in a case like this would be
to just limit the format spec to avoid overflow. So, I've checked in a patch
which does this.
cgf