This is the mail archive of the
cygwin-patches@cygwin.com
mailing list for the Cygwin project.
[Patch] Fix buffer overflow in kill utility
- From: Brian Dessent <brian at dessent dot net>
- To: cygwin-patches at cygwin dot com
- Date: Sat, 26 Feb 2005 18:43:08 -0800
- Subject: [Patch] Fix buffer overflow in kill utility
- Organization: My own little world...
In kill.cc there exists the possibility to overflow the "char buf[80]"
array by supplying malformed command line arguments.
An attacker could use this to overwrite the return value on the stack
and execute arbitrary code, but the amount of space available on the
stack for shellcode is approx 108 bytes so you'd have to be mighty
creative to do anything significant with it. A far-fetched scenario
might be some kind of perl or other CGI script running under Apache that
somehow allows a user-specified signal name to reach the command line of
/bin/kill. Emphasis on the "far-fetched" part though.
Example:
$ /bin/kill -s `perl -e 'print "A"x200'`
Segmentation fault (core dumped)
As far as I can tell from CVS history this has existed in kill.cc since
its first version (~5 years.) Trivial patch below.
2005-02-26 Brian Dessent <brian@dessent.net>
* kill.cc (getsig): Use snprintf to prevent overflowing `buf'.
Index: winsup/utils/kill.cc
===================================================================
RCS file: /cvs/src/src/winsup/utils/kill.cc,v
retrieving revision 1.25
diff -u -p -r1.25 kill.cc
--- winsup/utils/kill.cc 13 Nov 2004 16:30:19 -0000 1.25
+++ winsup/utils/kill.cc 27 Feb 2005 02:29:40 -0000
@@ -87,7 +87,7 @@ getsig (const char *in_sig)
sig = in_sig;
else
{
- sprintf (buf, "SIG%s", in_sig);
+ snprintf (buf, sizeof(buf), "SIG%s", in_sig);
sig = buf;
}
intsig = strtosigno (sig) ?: atoi (in_sig);