On Wednesday 20 August 2008 03:35, Cristian Cadar wrote:
> Hey Denys, thanks for closing those bugs.
> The fix you pushed does indeed fix one of the bugs I reported.  There's
> another invalid access though, sorry for not being clear.
> 
> The problem occurs when you call envdir, setuidgid or envuidgid w/o any
> arguments:
> 
> $ ./envdir 
> envdir: chdir((null)): Bad address
> 
> In chpst_main, argv is initially {"envdir", NULL}.
> 
> 195:  if ((ENABLE_CHPST && applet_name[0] == 'c')
> 196:   || (ENABLE_SOFTLIMIT && applet_name[1] == 'o')
> ...
>       } else {
>               option_mask32 = opt = 0;
> 215:          argv++;
>       }
> 
>       // envdir?
>       if (ENABLE_ENVDIR && applet_name[3] == 'd') {
> 220:          env_dir = *argv++;
>               opt |= OPT_e;
>       }
> ...
> 237:  if (!*argv)
>               bb_show_usage();
> 
> 
> Then, argv is incremented twice: once on line 215, and once on line 220.
> Then, the dereference on line 237 accesses invalid memory. 
> Also, edir(NULL) is called (line 344) which in turn incorrectly calls
> chdir(NULL). 
> 
> The other calls (setuidgid or envuidgid) are similar.  A simple
> validation that these programs are called w/ the right number of
> arguments should solve this.

Please try this patch.
--
vda
diff -d -urpN busybox.7/runit/chpst.c busybox.8/runit/chpst.c
--- busybox.7/runit/chpst.c	2008-08-15 23:01:19.000000000 +0200
+++ busybox.8/runit/chpst.c	2008-08-21 00:19:21.000000000 +0200
@@ -213,6 +213,8 @@ int chpst_main(int argc UNUSED_PARAM, ch
 	} else {
 		option_mask32 = opt = 0;
 		argv++;
+		if (!*argv)
+			bb_show_usage();
 	}
 
 	// envdir?
@@ -222,7 +224,7 @@ int chpst_main(int argc UNUSED_PARAM, ch
 	}
 
 	// setuidgid?
-	if (ENABLE_SETUIDGID && applet_name[0] == 's') {
+	if (ENABLE_SETUIDGID && applet_name[1] == 'e') {
 		set_user = *argv++;
 		opt |= OPT_u;
 	}
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
  • Re: Fixes Denys Vlasenko

Reply via email to