On Friday 22 August 2008 06:26, Cristian Cadar wrote:
> http://bugs.busybox.net/view.php?id=4684
>
> Test cases:
> <full-path>/linux32 -
> <full-path>/linux64 -
> ./setarch "" ""
>
> 15: int setarch_main(int argc UNUSED_PARAM, char **argv)
> {
> int pers = -1;
> ...
> retry:
> 25: if (argv[0][5] == '6') /* linux64 */
> pers = PER_LINUX;
> 27: else if (argv[0][5] == '3') /* linux32 */
> pers = PER_LINUX32;
> 29: else if (pers == -1 && argv[1] != NULL) {
> pers = PER_LINUX32;
> 31: ++argv;
> goto retry;
> }
>
> Consider <full-path>/linux32: one of the root problems is that argv[0]
> can be the full path to the program, so testing argv[0][5] is not always
> meaningful.
>
> When <full-path>/linux32 is called, the test on setarch.c:25 fails, as
> does the one on line 27. The one on line 29 succeeds, so argv is
> incremented, and execution jumps back to line 25. Now argv[0] is "-",
> so testing argv[0][5] causes a buffer overflow. The cases for linux64
> and setarch are similar.
Please try attached patch.
> BTW, I noticed there's no help associated with linux32 and linux64.
> It would be useful to add the help from setarch "Set 32bit uname
> emulation" and "Set 64bit uname emulation" respectively.
I hesitate to do it since this will enlarge the binary
--
vda
diff -d -urpN busybox.0/util-linux/setarch.c busybox.1/util-linux/setarch.c
--- busybox.0/util-linux/setarch.c 2008-08-06 00:56:12.000000000 +0200
+++ busybox.1/util-linux/setarch.c 2008-08-24 00:56:16.000000000 +0200
@@ -1,6 +1,6 @@
/* vi: set sw=4 ts=4: */
/*
- * Linux32/linux64 allows for changing uname emulation.
+ * linux32/linux64 allows for changing uname emulation.
*
* Copyright 2002 Andi Kleen, SuSE Labs.
*
@@ -14,32 +14,32 @@
int setarch_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
int setarch_main(int argc UNUSED_PARAM, char **argv)
{
- int pers = -1;
+ int pers;
/* Figure out what personality we are supposed to switch to ...
* we can be invoked as either:
- * argv[0],argv[1] -> "setarch","personality"
- * argv[0] -> "personality"
+ * argv[0],argv[1] == "setarch","personality"
+ * argv[0] == "personality"
*/
-retry:
- if (argv[0][5] == '6') /* linux64 */
+ if (ENABLE_SETARCH && applet_name[0] == 's'
+ && argv[1] && strncpy(argv[1], "linux", 5)
+ ) {
+ applet_name = argv[1];
+ argv++;
+ }
+ if (applet_name[5] == '6') /* linux64 */
pers = PER_LINUX;
- else if (argv[0][5] == '3') /* linux32 */
- pers = PER_LINUX32;
- else if (pers == -1 && argv[1] != NULL) {
+ else if (applet_name[5] == '3') /* linux32 */
pers = PER_LINUX32;
- ++argv;
- goto retry;
- }
+ else
+ bb_show_usage();
- /* make user actually gave us something to do */
- ++argv;
+ argv++;
if (argv[0] == NULL)
bb_show_usage();
/* Try to set personality */
if (personality(pers) >= 0) {
-
/* Try to execute the program */
BB_EXECVP(argv[0], argv);
}
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
