[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19
From: |
nobody |
Subject: |
[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files |
Date: |
Wed, 30 Oct 2002 01:48:19 -0500 |
=================== BUG #1551: LATEST MODIFICATIONS ==================
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117
Changes by: Theodore A. Roth <address@hidden>
Date: 2002-Oct-29 22:48 (US/Pacific)
------------------ Additional Bug Attachment ----------------------------
File name: uisp-bug-1551.diff Size:1 KB
proposed fix
http://savannah.nongnu.org/bugs/download.php?group_id=2117&bug_id=1551&bug_file_id=126
=================== BUG #1551: FULL BUG SNAPSHOT ===================
Submitted by: None Project: AVR In-System Programmer
Submitted on: 2002-Oct-29 14:38
Category: None Severity: 9 - Critical
Bug Group: None Resolution: None
Assigned to: troth Status: Open
Summary: Buffer overflow causes crash in uisp on some s19 files
Original Submission: From: <address@hidden>
When using --upload or --verify with some .s19 files, uisp segfaults. It turns
out that the segment name contained in these .s19 files is 40 characters long,
and uisp uses a 32-character buffer to store them. This is a security hole -
somebody could give you an .s19 file, and when you attempt to install it on an
atmel, your machine could execute arbitrary code!
Attached is a patch to increase the segment name buffer to 260 characters,
hopefully avoiding this problem. However, my patch does not fix the security
hole - the file reading portion of the uisp code would need a complete rewrite
to get rid of all of the security holes.
Follow-up Comments
*******************
-------------------------------------------------------
Date: 2002-Oct-29 21:33 By: troth
This is particularly nasty since uisp may be run SUID root if the user wishes
to use direct parallel port access.
Could I get a file which causes this behaviour for testing?
CC List
*******
CC Address | Comment
------------------------------------+-----------------------------
address@hidden |
File Attachments
****************
-------------------------------------------------------
Date: 2002-Oct-29 22:48 Name: uisp-bug-1551.diff Size: 1KB By: troth
proposed fix
http://savannah.nongnu.org/bugs/download.php?group_id=2117&bug_id=1551&bug_file_id=126
-------------------------------------------------------
Date: 2002-Oct-29 14:38 Name: uisp-buffer-overflow.patch Size: 0KB By: None
http://savannah.nongnu.org/bugs/download.php?group_id=2117&bug_id=1551&bug_file_id=125
For detailed info, follow this link:
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117
- [Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files,
nobody <=