[Patch] Fix buffer overflow in kill utility

Christopher Faylor cgf-no-personal-reply-please@cygwin.com
Sun Feb 27 03:03:00 GMT 2005

On Sat, Feb 26, 2005 at 06:43:08PM -0800, Brian Dessent wrote:
>In kill.cc there exists the possibility to overflow the "char buf[80]"
>array by supplying malformed command line arguments.
>An attacker could use this to overwrite the return value on the stack
>and execute arbitrary code, but the amount of space available on the
>stack for shellcode is approx 108 bytes so you'd have to be mighty
>creative to do anything significant with it.  A far-fetched scenario
>might be some kind of perl or other CGI script running under Apache that
>somehow allows a user-specified signal name to reach the command line of
>/bin/kill.  Emphasis on the "far-fetched" part though.
>$ /bin/kill -s `perl -e 'print "A"x200'`       
>Segmentation fault (core dumped)
>As far as I can tell from CVS history this has existed in kill.cc since
>its first version (~5 years.)  Trivial patch below.
>2005-02-26  Brian Dessent  <brian@dessent.net>
>	* kill.cc (getsig): Use snprintf to prevent overflowing `buf'.

Thanks for the patch.

Call me old-fashioned, but my first inclination in a case like this would be
to just limit the format spec to avoid overflow.  So, I've checked in a patch
which does this.


More information about the Cygwin-patches mailing list