Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv.
From: Tom Rhodes (trhodes_at_FreeBSD.org)
Date: 03/12/04
- Previous message: Jacques A. Vidrine: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- In reply to: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- Next in thread: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- Reply: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Mar 2004 11:07:25 -0500 To: Ruslan Ermilov <ru@FreeBSD.org>
On Fri, 12 Mar 2004 17:46:00 +0200
Ruslan Ermilov <ru@freebsd.org> wrote:
> On Fri, Mar 12, 2004 at 06:58:20AM -0600, Jacques A. Vidrine wrote:
> > On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote:
> > > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote:
> > > > And the fact that optind is initially set to 1. I wonder what
> > > > could be the implications for setuid programs. There could be
> > > > quite unpredictable results, as the "argv" pointer is incorrectly
> > > > advanced in this case, and at least several setuid programs that
> > > > I've glanced at are vulnerable to this attack.
> > >
> > > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738
> >
> > Thanks Ruslan, Marc,
> >
> > I think kern/33738 is on the money. I do not see any immediate
> > ramifications, but for peace of mind I believe that exec should fail if
> > the argument array pointer is NULL.
> >
> > I believe this would be consistent with the relevant standards: POSIX
> > already requires (a) that the first argument ``should point to a
> > filename that is associated with the process being started'' and (b)
> > ``the last member of this array is a null pointer''--- i.e. the array
> > pointer cannot be NULL.
> >
> As Garrett already pointed out in the PR log, have you considered this?
>
> http://www.opengroup.org/onlinepubs/007904975/functions/execve.html#tag_03_130_08
>
> I'm happy with changing our behavior to Strictly Conforming for the
> goods of security, and you?
Will it 'break' anything?
-- Tom Rhodes _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Jacques A. Vidrine: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- In reply to: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- Next in thread: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- Reply: Ruslan Ermilov: "Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2) with no argv."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
