bug-coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

integer overflow in /bin/ls


From: Georgi Guninski
Subject: integer overflow in /bin/ls
Date: Sun, 12 Oct 2003 22:46:46 +0300

Hi,

There is a non exploitable integer overflow in /bin/ls.

Check the following:

/opt/bin/valgrind /bin/ls -w 1073741828 -C


==21243== Invalid write of size 4
==21243==    at 0x804E498: (within /bin/ls)
==21243==    by 0x804CC3C: (within /bin/ls)
==21243==    by 0x804B721: (within /bin/ls)
==21243==    by 0x8049F74: (within /bin/ls)
==21243==    Address 0x41430CC8 is 8 bytes after a block of size 8 alloc'd
==21243==    at 0x40160504: malloc (vg_clientfuncs.c:100)
==21243==    by 0x80534D0: (within /bin/ls)
==21243==    by 0x804E4FB: (within /bin/ls)
==21243==    by 0x804CC3C: (within /bin/ls)

The heap is quite screwed, but ls is killed by the kernel due to memory usage.
Probably ls should not accept big ints after -w.

As a side effect this causes temporary DoS in wu-ftpd.

georgi




reply via email to

[Prev in Thread] Current Thread [Next in Thread]