bin/64150: [PATCH] ls(1) coredumps when started via execve(2)
with no argv.
Ruslan Ermilov
ru at FreeBSD.org
Fri Mar 12 07:46:11 PST 2004
On Fri, Mar 12, 2004 at 06:58:20AM -0600, Jacques A. Vidrine wrote:
> On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote:
> > On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote:
> > > And the fact that optind is initially set to 1. I wonder what
> > > could be the implications for setuid programs. There could be
> > > quite unpredictable results, as the "argv" pointer is incorrectly
> > > advanced in this case, and at least several setuid programs that
> > > I've glanced at are vulnerable to this attack.
> >
> > See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738
>
> Thanks Ruslan, Marc,
>
> I think kern/33738 is on the money. I do not see any immediate
> ramifications, but for peace of mind I believe that exec should fail if
> the argument array pointer is NULL.
>
> I believe this would be consistent with the relevant standards: POSIX
> already requires (a) that the first argument ``should point to a
> filename that is associated with the process being started'' and (b)
> ``the last member of this array is a null pointer''--- i.e. the array
> pointer cannot be NULL.
>
As Garrett already pointed out in the PR log, have you considered this?
http://www.opengroup.org/onlinepubs/007904975/functions/execve.html#tag_03_130_08
I'm happy with changing our behavior to Strictly Conforming for the
goods of security, and you?
Cheers,
--
Ruslan Ermilov
FreeBSD committer
ru at FreeBSD.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040312/ef7fffea/attachment.bin
More information about the freebsd-security
mailing list