Re: [Fwd: Help needed with bufferoverflow in cvs]

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fwd: Help needed with bufferoverflow in cvs]

From:	Crist J. Clark
Subject:	Re: [Fwd: Help needed with bufferoverflow in cvs]
Date:	Fri, 22 Feb 2002 10:53:09 -0800
User-agent:	Mutt/1.2.5i

[The crossposting seems to have gotten out of control somewhere along
the line. Some CCs changed to BCCs since it is getting off topic.]

On Fri, Feb 22, 2002 at 01:01:36PM -0500, Donald Sharp wrote:
[snip]

> I have insufficient memory.  But why would you expect this to be a
> security hole?

I don't really expect it to be one. It looks like it would be
tough to exploit. Here is where things are supposed to be faulting in
diff/analyze.c,

   425    p = (int *) xmalloc (filevec[0].equiv_max * (2 * sizeof (int)));
   426    equiv_count[0] = p;
   427    equiv_count[1] = p + filevec[0].equiv_max;
   428    bzero (p, filevec[0].equiv_max * (2 * sizeof (int)));
   429  
   430    for (i = 0; i < filevec[0].buffered_lines; ++i)
   431      ++equiv_count[0][filevec[0].equivs[i]];
   432    for (i = 0; i < filevec[1].buffered_lines; ++i)
   433      ++equiv_count[1][filevec[1].equivs[i]];

At 431 in my case. We are actually messing with memory we shouldn't
be, but we are not writing arbitrary data to memory, we're incrementing
with integer addition, and not in a location that looks easy to
manipulate.

But getting to the bug stomping, the equivs_max structure memeber,
should not be less than equivs[0],

(gdb) run -f diff -C111111111111 /export/stable/src/sys/netinet/ip_fw.c
Starting program: /var/tmp/export/stable/src/gnu/usr.bin/cvs/cvs/cvs -f diff 
-C111111111111 /export/stable/src/sys/netinet/ip_fw.c
Index: /export/stable/src/sys/netinet/ip_fw.c
===================================================================
RCS file: /export/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.31
diff -C111111111111 -r1.131.2.31 ip_fw.c

Program received signal SIGSEGV, Segmentation fault.
0x8099b7e in discard_confusing_lines (filevec=0xbfbff38c)
    at 
/export/stable/src/gnu/usr.bin/cvs/libdiff/../../../../contrib/cvs/diff/analyze.c:431
(gdb) p filevec[0].equiv_max
$4 = 694
(gdb) p filevec[0].buffered_lines
$5 = 939
(gdb) p filevec[0].equivs[i]
$6 = 135420989
(gdb) 

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Fwd: Help needed with bufferoverflow in cvs], (continued)
- Re: [Fwd: Help needed with bufferoverflow in cvs], Larry Jones, 2002/02/20
  - Re: [Fwd: Help needed with bufferoverflow in cvs], Tollef Fog Heen, 2002/02/21
    - Re: [Fwd: Help needed with bufferoverflow in cvs], Larry Jones, 2002/02/21
    - Re: [Fwd: Help needed with bufferoverflow in cvs], Turbo Fredriksson, 2002/02/22
    - Re: [Fwd: Help needed with bufferoverflow in cvs], Larry Jones, 2002/02/22
    - Re: [Fwd: Help needed with bufferoverflow in cvs], Crist J. Clark, 2002/02/22
    - Re: [Fwd: Help needed with bufferoverflow in cvs], Donald Sharp, 2002/02/22
    - Re: [Fwd: Help needed with bufferoverflow in cvs], Crist J. Clark <=
    - Re: [Fwd: Help needed with bufferoverflow in cvs], Tollef Fog Heen, 2002/02/22

Prev by Date: Re: [Fwd: Help needed with bufferoverflow in cvs]
Next by Date: Re: Assertion during import
Previous by thread: Re: [Fwd: Help needed with bufferoverflow in cvs]
Next by thread: Re: [Fwd: Help needed with bufferoverflow in cvs]
Index(es):
- Date
- Thread