This is the mail archive of the cygwin-patches@cygwin.com mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Patch] Fix buffer overflow in kill utility


In kill.cc there exists the possibility to overflow the "char buf[80]"
array by supplying malformed command line arguments.

An attacker could use this to overwrite the return value on the stack
and execute arbitrary code, but the amount of space available on the
stack for shellcode is approx 108 bytes so you'd have to be mighty
creative to do anything significant with it.  A far-fetched scenario
might be some kind of perl or other CGI script running under Apache that
somehow allows a user-specified signal name to reach the command line of
/bin/kill.  Emphasis on the "far-fetched" part though.

Example:

$ /bin/kill -s `perl -e 'print "A"x200'`       
Segmentation fault (core dumped)

As far as I can tell from CVS history this has existed in kill.cc since
its first version (~5 years.)  Trivial patch below.

2005-02-26  Brian Dessent  <brian@dessent.net>

	* kill.cc (getsig): Use snprintf to prevent overflowing `buf'.
Index: winsup/utils/kill.cc
===================================================================
RCS file: /cvs/src/src/winsup/utils/kill.cc,v
retrieving revision 1.25
diff -u -p -r1.25 kill.cc
--- winsup/utils/kill.cc	13 Nov 2004 16:30:19 -0000	1.25
+++ winsup/utils/kill.cc	27 Feb 2005 02:29:40 -0000
@@ -87,7 +87,7 @@ getsig (const char *in_sig)
     sig = in_sig;
   else
     {
-      sprintf (buf, "SIG%s", in_sig);
+      snprintf (buf, sizeof(buf), "SIG%s", in_sig);
       sig = buf;
     }
   intsig = strtosigno (sig) ?: atoi (in_sig);


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]