[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Concerning a possible bug in the 'ncurses' package

From: Ben Schwarz
Subject: Concerning a possible bug in the 'ncurses' package
Date: Sun, 28 Aug 2005 19:19:36 -0700 (PDT)

This email concerns a bug or security vulnerability that members of
the MOPS project (http://www.cs.berkeley.edu/~daw/mops/) have found
during a recent audit of all programs packaged with the Redhat 9 Linux
distribution. We believe that one or more of the packages maintained
by recipients of this email contain bugs that may be exploitable
(although sometimes they are just bugs that may result in unexpected
program behavior).

The specific type of bug which we have found arises from misuse of
the strncpy() function. In general there are two sources of problems:
1) off-by-one errors, where the program can write past the end
of an array bounds, and 2) unterminated strings. For example, a
safe use of strncpy():

   buf[sizeof(buf) - 1] = '\0';
   strncpy(buf, ..., sizeof(buf)-1);

and two unsafe uses:

   buf[sizeof(buf) - 1] = '\0';
   strncpy(buf, ..., sizeof(buf);


   memset(buf, 0, sizeof(buf) - 1);
   strncpy(buf, ..., sizeof(buf)-1);

In the first unsafe example, the string is null-terminated, but the
terminating character can be overwritten by the subsequence strncpy().
In the second unsafe example, memset() is used incorrectly--it needs
to be given the entire size of the buffer, not the size - 1.

We present some examples of vulnerable programs in our paper
"Model Checking An Entire Linux Distribution for Security Violations"
which can be found at
Section 3.4 is dedicated to this specific type of bug.

Our suggestion for fixing these bugs is to make sure all code
which uses strncpy() follows a safe idiom, such as the one presented

The maintainers of this package can find the interactive program
traces at https://taverner.cs.berkeley.edu/traces/strncpy/
A program trace consists of a series statements that caused the program
to reach a state where we believe malicious behavior can occur. One can
navigate the program code by clicking on transitions (two program states
separated by a '->') in the leftmost pane to see the program behavior
that caused our modelchecker to reach its final state.
For this specific bug, transitions to the final "bug" state will occur
when the modelchecker has detected a use of strncpy() that does not follow
a safe idiom. We have manually audited these traces to verify the
presence of bugs.

At this end of this email is a more detailed description of where the bug
can be found. Any questions about this specific bug can be directed to


URL with program traces for this package:

Programs with bugs:
tic (comp_error.c line 58)

We believe 'name' can be of length MAX_NAME_SIZE + 1,  so the string
is not guaranteed to be terminated.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]