tech-userlevel: Re: exploit with memcpy()

Subject: Re: exploit with memcpy()
To: None <tech-userlevel@netbsd.org>
From: None <xs@kittenz.org>
List: tech-userlevel
Date: 07/02/2002 20:13:43
--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

on Tue, Jul 02, 2002 at 03:24:47PM +0000, Christos Zoulas wrote:
> And we should strive to eliminate functions in libc that write errors
> and warnings to stderr...

The only thing that springs to mind that does this is malloc(3). I'm sure
there are more. What do you think of this?


--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="malloc.warn"

Index: malloc.c
===================================================================
RCS file: /cvsroot/basesrc/lib/libc/stdlib/malloc.c,v
retrieving revision 1.38
diff -u -r1.38 malloc.c
--- malloc.c	2001/05/06 04:48:41	1.38
+++ malloc.c	2002/07/02 19:09:56
@@ -232,6 +232,9 @@
 /* junk fill ?  */
 static int malloc_junk;
 
+/* display warnings/errors on stderr? */
+static int malloc_warn;
+
 #ifdef HAS_UTRACE
 
 /* utrace ?  */
@@ -279,10 +282,12 @@
 {
     const char *progname = getprogname();
     char *q = " error: ";
-    write(STDERR_FILENO, progname, strlen(progname));
-    write(STDERR_FILENO, malloc_func, strlen(malloc_func));
-    write(STDERR_FILENO, q, strlen(q));
-    write(STDERR_FILENO, p, strlen(p));
+    if (malloc_warn) {
+	write(STDERR_FILENO, progname, strlen(progname));
+	write(STDERR_FILENO, malloc_func, strlen(malloc_func));
+	write(STDERR_FILENO, q, strlen(q));
+	write(STDERR_FILENO, p, strlen(p));
+    }
     suicide = 1;
     abort();
 }
@@ -294,6 +299,9 @@
     char *q = " warning: ";
     if (malloc_abort)
 	wrterror(p);
+    else if (!malloc_warn)
+	return;
+
     write(STDERR_FILENO, progname, strlen(progname));
     write(STDERR_FILENO, malloc_func, strlen(malloc_func));
     write(STDERR_FILENO, q, strlen(q));
@@ -441,6 +449,8 @@
 	    b[j] = '\0';
 	    p = b;
 	} else if (i == 1) {
+	    if (issetugid())
+		continue;
 	    p = getenv("MALLOC_OPTIONS");
 	} else {
 	    p = malloc_options;
@@ -463,6 +473,8 @@
 #endif
 		case 'v': malloc_sysv    = 0; break;
 		case 'V': malloc_sysv    = 1; break;
+		case 'w': malloc_warn    = 0; break;
+		case 'W': malloc_warn    = 1; break;
 		case 'x': malloc_xmalloc = 0; break;
 		case 'X': malloc_xmalloc = 1; break;
 		case 'z': malloc_zero    = 0; break;

--6TrnltStXW4iwmi0--