ptx bug -- unbounded buffer overflow

bug-coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ptx bug -- unbounded buffer overflow

From:	Cristian Cadar
Subject:	ptx bug -- unbounded buffer overflow
Date:	Thu, 20 Mar 2008 16:53:48 -0700

  Hello, I'm part of a research group at Stanford, working on automatic
bug-finding tools.  We are currently testing coreutils, and we found a
crash bug in ptx due to an unbounded buffer overflow.

  Here is a trivial test case that triggers the bug in the current
version of coreutils (6.10):

$ ptx -F\\

  Another example, which overflows more bytes would be:
$ ptx -F\\ abcdef

(the overflow increases w/ the length of the second argument).

  The problem is in function copy_unescaped_string(const char *string),
which in the presence of backslashes can advance the pointer "string"
past the end of the buffer.  This in turn causes an unbounded overflow
of the buffer malloc-ed at the very beginning of the function, which in
turn can be used to corrupt the heap metadata and crash the program.

  We would appreciate your confirmation of the bug.

  Cristian Cadar

[Prev in Thread]

Current Thread

[Next in Thread]

ptx bug -- unbounded buffer overflow, Cristian Cadar <=
- Re: ptx bug -- unbounded buffer overflow, Jim Meyering, 2008/03/21
  - Re: ptx bug -- unbounded buffer overflow, Cristian Cadar, 2008/03/21
    - Re: ptx bug -- unbounded buffer overflow, Dawson Engler, 2008/03/21

Prev by Date: Re: su roots
Next by Date: Re: ptx bug -- unbounded buffer overflow
Previous by thread: su roots
Next by thread: Re: ptx bug -- unbounded buffer overflow
Index(es):
- Date
- Thread