[Patch] Fix buffer overflow in kill utility
Christopher Faylor
cgf-no-personal-reply-please@cygwin.com
Sun Feb 27 03:03:00 GMT 2005
On Sat, Feb 26, 2005 at 06:43:08PM -0800, Brian Dessent wrote:
>
>In kill.cc there exists the possibility to overflow the "char buf[80]"
>array by supplying malformed command line arguments.
>
>An attacker could use this to overwrite the return value on the stack
>and execute arbitrary code, but the amount of space available on the
>stack for shellcode is approx 108 bytes so you'd have to be mighty
>creative to do anything significant with it. A far-fetched scenario
>might be some kind of perl or other CGI script running under Apache that
>somehow allows a user-specified signal name to reach the command line of
>/bin/kill. Emphasis on the "far-fetched" part though.
>
>Example:
>
>$ /bin/kill -s `perl -e 'print "A"x200'`
>Segmentation fault (core dumped)
>
>As far as I can tell from CVS history this has existed in kill.cc since
>its first version (~5 years.) Trivial patch below.
>
>2005-02-26 Brian Dessent <brian@dessent.net>
>
> * kill.cc (getsig): Use snprintf to prevent overflowing `buf'.
Thanks for the patch.
Call me old-fashioned, but my first inclination in a case like this would be
to just limit the format spec to avoid overflow. So, I've checked in a patch
which does this.
cgf
More information about the Cygwin-patches
mailing list