Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv.

• Previous message: Marc Olzheim: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• In reply to: Marc Olzheim: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Next in thread: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Reply: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Reply: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 12 Mar 2004 06:58:20 -0600
To: Marc Olzheim <marcolz@stack.nl>

On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote:
> On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote:
> > And the fact that optind is initially set to 1. I wonder what
> > could be the implications for setuid programs. There could be
> > quite unpredictable results, as the "argv" pointer is incorrectly
> > advanced in this case, and at least several setuid programs that
> > I've glanced at are vulnerable to this attack.
>
> See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738

Thanks Ruslan, Marc,

I think kern/33738 is on the money. I do not see any immediate
ramifications, but for peace of mind I believe that exec should fail if
the argument array pointer is NULL.

I believe this would be consistent with the relevant standards: POSIX
already requires (a) that the first argument ``should point to a
filename that is associated with the process being started'' and (b)
``the last member of this array is a null pointer''--- i.e. the array
pointer cannot be NULL.

Cheers,

-- 
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Marc Olzheim: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• In reply to: Marc Olzheim: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Next in thread: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Reply: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Reply: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Question about smp_read_barrier_depends() in kernel/marker.c ... so put the explicit barrier here. ... sure the array data is written before the array pointer. ... Update the function or multi probe array pointer before setting the ... (Linux-Kernel) Re: [PHP] Using next() inside a foreach ... The latter bug is described as a documentation issue... ... This new behavior in 5.2.4 breaks array look-ahead logic, ... Perhaps the previous behavior was to increment the array pointer at the ... END of the foreach block, and now for some reason it's incrementing it ... (php.general) Re: Looping through array, deleting elements ... You are modifying the array as you iterate over it ... instruction has two attributes, parm and arg. ... the loop is looking at element x foo, ... and now array pointer is pointing at element z foo. ... (comp.lang.ruby) Re: array size ... through dereferencing the array pointer out of the Varaint, ... is that passing an uninitialized array of objects or UDTs will cause the ... return 1 for the number of dimensions of an uninitialized array of objects or UDTs. ... >> something else] for representing dynamic data structures that tends to be ... (microsoft.public.vb.general.discussion)