[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19

uisp-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19

From:	nobody
Subject:	[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files
Date:	Wed, 30 Oct 2002 18:24:33 -0500

=================== BUG #1551: LATEST MODIFICATIONS ==================
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117

Changes by: Theodore A. Roth <address@hidden>
Date: 2002-Oct-30 15:24 (US/Pacific)

            What     | Removed                   | Added
---------------------------------------------------------------------------
          Resolution | None                      | Fixed
              Status | Open                      | Closed


------------------ Additional Follow-up Comments ----------------------------
Here's the ChangeLog entry which includes the fix:

2002-10-30  Theodore A. Roth  <address@hidden>
  (Thanks to Seth LaForge <address@hidden> for pointing out the buffer overflow
   problems.)

        * configure.in (AM_INIT_AUTOMAKE): Bump version.
        * src/Main.C: Add comment about dropping setuid privies.
        * src/AvrAtmel.C: Remove unused variables.
        * src/Makefile.am: Add -Wall and -Werror compile flags.
        * src/MotIntl.C (Htoi): Make sure hex digit is valid.
        (UploadMotorola): Increase size of seg_name[] to avoid buffer overflow.
        (UploadMotorola): Check for possible read past end of line_buf.
        (UploadMotorola): Add case for "S3" records.
        (UploadIntel): Check for possible read past end of line_buf.





=================== BUG #1551: FULL BUG SNAPSHOT ===================


Submitted by: None                      Project: AVR In-System Programmer       
Submitted on: 2002-Oct-29 14:38
Category:  None                         Severity:  9 - Critical                 
Bug Group:  None                        Resolution:  Fixed                      
Assigned to:  troth                     Status:  Closed                         

Summary:  Buffer overflow causes crash in uisp on some s19 files

Original Submission:  From: <address@hidden>

When using --upload or --verify with some .s19 files, uisp segfaults.  It turns 
out that the segment name contained in these .s19 files is 40 characters long, 
and uisp uses a 32-character buffer to store them.  This is a security hole - 
somebody could give you an .s19 file, and when you attempt to install it on an 
atmel, your machine could execute arbitrary code!

Attached is a patch to increase the segment name buffer to 260 characters, 
hopefully avoiding this problem.  However, my patch does not fix the security 
hole - the file reading portion of the uisp code would need a complete rewrite 
to get rid of all of the security holes.

Follow-up Comments
*******************

-------------------------------------------------------
Date: 2002-Oct-30 15:24             By: troth
Here's the ChangeLog entry which includes the fix:

2002-10-30  Theodore A. Roth  <address@hidden>
  (Thanks to Seth LaForge <address@hidden> for pointing out the buffer overflow
   problems.)

        * configure.in (AM_INIT_AUTOMAKE): Bump version.
        * src/Main.C: Add comment about dropping setuid privies.
        * src/AvrAtmel.C: Remove unused variables.
        * src/Makefile.am: Add -Wall and -Werror compile flags.
        * src/MotIntl.C (Htoi): Make sure hex digit is valid.
        (UploadMotorola): Increase size of seg_name[] to avoid buffer overflow.
        (UploadMotorola): Check for possible read past end of line_buf.
        (UploadMotorola): Add case for "S3" records.
        (UploadIntel): Check for possible read past end of line_buf.



-------------------------------------------------------
Date: 2002-Oct-29 21:33             By: troth
This is particularly nasty since uisp may be run SUID root if the user wishes 
to use direct parallel port access.

Could I get a file which causes this behaviour for testing?


CC List
*******

CC Address                          | Comment
------------------------------------+-----------------------------
address@hidden                      | 



File Attachments
****************

-------------------------------------------------------
Date: 2002-Oct-29 14:38  Name: uisp-buffer-overflow.patch  Size: 0KB   By: None

http://savannah.nongnu.org/bugs/download.php?group_id=2117&amp;bug_id=1551&amp;bug_file_id=125


For detailed info, follow this link:
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117

[Prev in Thread]

Current Thread

[Next in Thread]

[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files, nobody, 2002/10/30
- [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files, Seth LaForge, 2002/10/30
  - [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files, Theodore A. Roth, 2002/10/30
  - [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files, Theodore A. Roth, 2002/10/30
    - [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files, Seth LaForge, 2002/10/30
    - [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files, Theodore A. Roth, 2002/10/30
- [Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files, nobody <=

Prev by Date: [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files
Previous by thread: [Uisp-dev] Re: [Bug #1551] Buffer overflow causes crash in uisp on some s19 files
Index(es):
- Date
- Thread