Subject: bin/21035: Locate segfaults on bad binary input.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <pancake@phreaker.net>
List: netbsd-bugs
Date: 04/06/2003 00:59:13
>Number: 21035
>Category: bin
>Synopsis: locate segfaults on bad database binary input
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Apr 05 14:53:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: pancake
>Release: NetBSD current
>Organization:
>Environment:
>Description:
locate read the database file without making any kind of checks.
This will cause to try to write code to an invalid pointer on memory.
I just check if this pointer is correct and then alert and exit to
prompt. This is a pseudo-patch...is possible to segfault with other
but cleans the major possibilities.
I think that is important to put good permissions on /var/db/locate.
database, because !root user could change it and write a malicious
database that executes code itself and gain root privileges if root
executes locate.
Is difficult to overflow it, but it's possible. Code revision
is important. My patch only repairs the most of the cases. But
stills an ugly solution.
>How-To-Repeat:
$ locate -d /bin/ls pop
Segmentation Fault
Nice :)
>Fix:
Just try with this patch =)
--- locate.c Sat Apr 5 05:36:54 2003
+++ locate_bofpatch.c Sun Apr 6 00:12:09 2003
@@ -217,8 +217,14 @@
if (p < path || p >= path + sizeof(path))
return(-1); /* invalid database file */
if (c < PARITY)
+ {
+ if (count<0)
+ {
+ warnx("Invalid database file.\n");
+ exit(1);
+ }
*p++ = c;
- else { /* bigrams are parity-marked */
+ } else { /* bigrams are parity-marked */
c &= PARITY - 1;
/* sanity check */
if (c < 0 || c >= sizeof(bigram1))
>Release-Note:
>Audit-Trail:
>Unformatted: