This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [Patch] Fix buffer overflow in kill utility


On Sat, Feb 26, 2005 at 06:43:08PM -0800, Brian Dessent wrote:
>
>In kill.cc there exists the possibility to overflow the "char buf[80]"
>array by supplying malformed command line arguments.
>
>An attacker could use this to overwrite the return value on the stack
>and execute arbitrary code, but the amount of space available on the
>stack for shellcode is approx 108 bytes so you'd have to be mighty
>creative to do anything significant with it.  A far-fetched scenario
>might be some kind of perl or other CGI script running under Apache that
>somehow allows a user-specified signal name to reach the command line of
>/bin/kill.  Emphasis on the "far-fetched" part though.
>
>Example:
>
>$ /bin/kill -s `perl -e 'print "A"x200'`       
>Segmentation fault (core dumped)
>
>As far as I can tell from CVS history this has existed in kill.cc since
>its first version (~5 years.)  Trivial patch below.
>
>2005-02-26  Brian Dessent  <brian@dessent.net>
>
>	* kill.cc (getsig): Use snprintf to prevent overflowing `buf'.

Thanks for the patch.

Call me old-fashioned, but my first inclination in a case like this would be
to just limit the format spec to avoid overflow.  So, I've checked in a patch
which does this.

cgf


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]