Re: bin/64150: [PATCH] ls(1) coredumps when started via execve(2
On Fri, Mar 12, 2004 at 12:15:26PM +0100, Marc Olzheim wrote:
> On Fri, Mar 12, 2004 at 01:06:57PM +0200, Ruslan Ermilov wrote:
> > And the fact that optind is initially set to 1. I wonder what
> > could be the implications for setuid programs. There could be
> > quite unpredictable results, as the "argv" pointer is incorrectly
> > advanced in this case, and at least several setuid programs that
> > I've glanced at are vulnerable to this attack.
>
> See also: http://www.freebsd.org/cgi/query-pr.cgi?pr=33738
Thanks Ruslan, Marc,
I think kern/33738 is on the money. I do not see any immediate
ramifications, but for peace of mind I believe that exec should fail if
the argument array pointer is NULL.
I believe this would be consistent with the relevant standards: POSIX
already requires (a) that the first argument ``should point to a
filename that is associated with the process being started'' and (b)
``the last member of this array is a null pointer''--- i.e. the array
pointer cannot be NULL.
Cheers,
--
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 3 之 12 篇):