Vulnerability Development mailing list archives

Re: [Fwd: Help needed with bufferoverflow in cvs]

From: "Crist J. Clark" <crist.clark () attbi com>
Date: Fri, 22 Feb 2002 10:53:09 -0800

[The crossposting seems to have gotten out of control somewhere along
the line. Some CCs changed to BCCs since it is getting off topic.]

On Fri, Feb 22, 2002 at 01:01:36PM -0500, Donald Sharp wrote:
[snip]

I have insufficient memory.  But why would you expect this to be a
security hole?


I don't really expect it to be one. It looks like it would be
tough to exploit. Here is where things are supposed to be faulting in
diff/analyze.c,

   425    p = (int *) xmalloc (filevec[0].equiv_max * (2 * sizeof (int)));
   426    equiv_count[0] = p;
   427    equiv_count[1] = p + filevec[0].equiv_max;
   428    bzero (p, filevec[0].equiv_max * (2 * sizeof (int)));
   429  
   430    for (i = 0; i < filevec[0].buffered_lines; ++i)
   431      ++equiv_count[0][filevec[0].equivs[i]];
   432    for (i = 0; i < filevec[1].buffered_lines; ++i)
   433      ++equiv_count[1][filevec[1].equivs[i]];

At 431 in my case. We are actually messing with memory we shouldn't
be, but we are not writing arbitrary data to memory, we're incrementing
with integer addition, and not in a location that looks easy to
manipulate.

But getting to the bug stomping, the equivs_max structure memeber,
should not be less than equivs[0],

(gdb) run -f diff -C111111111111 /export/stable/src/sys/netinet/ip_fw.c
Starting program: /var/tmp/export/stable/src/gnu/usr.bin/cvs/cvs/cvs -f diff -C111111111111 
/export/stable/src/sys/netinet/ip_fw.c
Index: /export/stable/src/sys/netinet/ip_fw.c
===================================================================
RCS file: /export/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.31
diff -C111111111111 -r1.131.2.31 ip_fw.c

Program received signal SIGSEGV, Segmentation fault.
0x8099b7e in discard_confusing_lines (filevec=0xbfbff38c)
    at /export/stable/src/gnu/usr.bin/cvs/libdiff/../../../../contrib/cvs/diff/analyze.c:431
(gdb) p filevec[0].equiv_max
$4 = 694
(gdb) p filevec[0].buffered_lines
$5 = 939
(gdb) p filevec[0].equivs[i]
$6 = 135420989
(gdb) 

-- 
Crist J. Clark                     |     cjclark () alum mit edu
                                   |     cjclark () jhu edu
http://people.freebsd.org/~cjc/    |     cjc () freebsd org

Current thread:

Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
- Re: [Fwd: Help needed with bufferoverflow in cvs] Tollef Fog Heen (Feb 21)
  - Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 21)
    - Re: [Fwd: Help needed with bufferoverflow in cvs] Turbo Fredriksson (Feb 22)
    - Re: [Fwd: Help needed with bufferoverflow in cvs] Larry Jones (Feb 22)
    - Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 22)
    - Re: [Fwd: Help needed with bufferoverflow in cvs] Donald Sharp (Feb 22)
    - Re: [Fwd: Help needed with bufferoverflow in cvs] Crist J. Clark (Feb 23)