[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19
From: |
nobody |
Subject: |
[Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files |
Date: |
Wed, 30 Oct 2002 18:24:33 -0500 |
=================== BUG #1551: LATEST MODIFICATIONS ==================
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117
Changes by: Theodore A. Roth <address@hidden>
Date: 2002-Oct-30 15:24 (US/Pacific)
What | Removed | Added
---------------------------------------------------------------------------
Resolution | None | Fixed
Status | Open | Closed
------------------ Additional Follow-up Comments ----------------------------
Here's the ChangeLog entry which includes the fix:
2002-10-30 Theodore A. Roth <address@hidden>
(Thanks to Seth LaForge <address@hidden> for pointing out the buffer overflow
problems.)
* configure.in (AM_INIT_AUTOMAKE): Bump version.
* src/Main.C: Add comment about dropping setuid privies.
* src/AvrAtmel.C: Remove unused variables.
* src/Makefile.am: Add -Wall and -Werror compile flags.
* src/MotIntl.C (Htoi): Make sure hex digit is valid.
(UploadMotorola): Increase size of seg_name[] to avoid buffer overflow.
(UploadMotorola): Check for possible read past end of line_buf.
(UploadMotorola): Add case for "S3" records.
(UploadIntel): Check for possible read past end of line_buf.
=================== BUG #1551: FULL BUG SNAPSHOT ===================
Submitted by: None Project: AVR In-System Programmer
Submitted on: 2002-Oct-29 14:38
Category: None Severity: 9 - Critical
Bug Group: None Resolution: Fixed
Assigned to: troth Status: Closed
Summary: Buffer overflow causes crash in uisp on some s19 files
Original Submission: From: <address@hidden>
When using --upload or --verify with some .s19 files, uisp segfaults. It turns
out that the segment name contained in these .s19 files is 40 characters long,
and uisp uses a 32-character buffer to store them. This is a security hole -
somebody could give you an .s19 file, and when you attempt to install it on an
atmel, your machine could execute arbitrary code!
Attached is a patch to increase the segment name buffer to 260 characters,
hopefully avoiding this problem. However, my patch does not fix the security
hole - the file reading portion of the uisp code would need a complete rewrite
to get rid of all of the security holes.
Follow-up Comments
*******************
-------------------------------------------------------
Date: 2002-Oct-30 15:24 By: troth
Here's the ChangeLog entry which includes the fix:
2002-10-30 Theodore A. Roth <address@hidden>
(Thanks to Seth LaForge <address@hidden> for pointing out the buffer overflow
problems.)
* configure.in (AM_INIT_AUTOMAKE): Bump version.
* src/Main.C: Add comment about dropping setuid privies.
* src/AvrAtmel.C: Remove unused variables.
* src/Makefile.am: Add -Wall and -Werror compile flags.
* src/MotIntl.C (Htoi): Make sure hex digit is valid.
(UploadMotorola): Increase size of seg_name[] to avoid buffer overflow.
(UploadMotorola): Check for possible read past end of line_buf.
(UploadMotorola): Add case for "S3" records.
(UploadIntel): Check for possible read past end of line_buf.
-------------------------------------------------------
Date: 2002-Oct-29 21:33 By: troth
This is particularly nasty since uisp may be run SUID root if the user wishes
to use direct parallel port access.
Could I get a file which causes this behaviour for testing?
CC List
*******
CC Address | Comment
------------------------------------+-----------------------------
address@hidden |
File Attachments
****************
-------------------------------------------------------
Date: 2002-Oct-29 14:38 Name: uisp-buffer-overflow.patch Size: 0KB By: None
http://savannah.nongnu.org/bugs/download.php?group_id=2117&bug_id=1551&bug_file_id=125
For detailed info, follow this link:
http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=1551&group_id=2117
- [Uisp-dev] [Bug #1551] Buffer overflow causes crash in uisp on some s19 files,
nobody <=