[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Fwd: Help needed with bufferoverflow in cvs]
From: |
Crist J. Clark |
Subject: |
Re: [Fwd: Help needed with bufferoverflow in cvs] |
Date: |
Fri, 22 Feb 2002 10:53:09 -0800 |
User-agent: |
Mutt/1.2.5i |
[The crossposting seems to have gotten out of control somewhere along
the line. Some CCs changed to BCCs since it is getting off topic.]
On Fri, Feb 22, 2002 at 01:01:36PM -0500, Donald Sharp wrote:
[snip]
> I have insufficient memory. But why would you expect this to be a
> security hole?
I don't really expect it to be one. It looks like it would be
tough to exploit. Here is where things are supposed to be faulting in
diff/analyze.c,
425 p = (int *) xmalloc (filevec[0].equiv_max * (2 * sizeof (int)));
426 equiv_count[0] = p;
427 equiv_count[1] = p + filevec[0].equiv_max;
428 bzero (p, filevec[0].equiv_max * (2 * sizeof (int)));
429
430 for (i = 0; i < filevec[0].buffered_lines; ++i)
431 ++equiv_count[0][filevec[0].equivs[i]];
432 for (i = 0; i < filevec[1].buffered_lines; ++i)
433 ++equiv_count[1][filevec[1].equivs[i]];
At 431 in my case. We are actually messing with memory we shouldn't
be, but we are not writing arbitrary data to memory, we're incrementing
with integer addition, and not in a location that looks easy to
manipulate.
But getting to the bug stomping, the equivs_max structure memeber,
should not be less than equivs[0],
(gdb) run -f diff -C111111111111 /export/stable/src/sys/netinet/ip_fw.c
Starting program: /var/tmp/export/stable/src/gnu/usr.bin/cvs/cvs/cvs -f diff
-C111111111111 /export/stable/src/sys/netinet/ip_fw.c
Index: /export/stable/src/sys/netinet/ip_fw.c
===================================================================
RCS file: /export/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.31
diff -C111111111111 -r1.131.2.31 ip_fw.c
Program received signal SIGSEGV, Segmentation fault.
0x8099b7e in discard_confusing_lines (filevec=0xbfbff38c)
at
/export/stable/src/gnu/usr.bin/cvs/libdiff/../../../../contrib/cvs/diff/analyze.c:431
(gdb) p filevec[0].equiv_max
$4 = 694
(gdb) p filevec[0].buffered_lines
$5 = 939
(gdb) p filevec[0].equivs[i]
$6 = 135420989
(gdb)
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
- Re: [Fwd: Help needed with bufferoverflow in cvs], (continued)
Re: [Fwd: Help needed with bufferoverflow in cvs], Larry Jones, 2002/02/20
Re: [Fwd: Help needed with bufferoverflow in cvs], Tollef Fog Heen, 2002/02/22