[help-gv] Understanding the buffer overflow exploit in gv 3.6.2

[Munawar Hafiz]

Hi,

I have been doing research on how to transform programs to
remove buffer overflow vulnerabilities. I have been trying to
understand the buffer overflow exploit documented in Bugtraq
20978 in securityfocus.


http://www.securityfocus.com/bid/20978/info

The following link has some proof of concept code that shows the buffer 
overflow error, 


http://www.securityfocus.com/bid/20978/exploit

It
contains a ps file. When gv is asked to open the file, it gets a
segmentation fault. I understand that the segmentation fault occurs
because the doc->media data structure is corrupted in the 

          struct document * 
psscan(fileP,filename,filename_raw,filename_dscP,cmd_scan_pdf,filename_uncP,cmd_uncompress,scanstyle)
 
function at line 653 in the ps.c file.

The reason for this corruption is the call to the 


           static char * ps_gettext(line, next_char)
function in line 1382 of ps.c file where the buffer overflow occurs.

I
tried to replace the bad string function strcpy in line 1382 with a
safe string function g_strlcpy provided by the glib library. 
Replaced   
         strcpy(cp, text);
with
         g_strlcpy(cp, text, malloc_usable_size(cp));

I
got everything to compile and now the segmentation fault is gone.
Instead now I am getting a SIGILL, illegal instruction signal and gv
stops when it is asked to open the corrupt ps file.


Apparently the buffer is still overwritten and the function
cannot return. Hence the replacement of the strcpy with g_strlcpy has
not effect on the buffer overflow.

But my question is, why am I
getting a SIGILL then instead of the SIGSEGV that I got before the
change? Can someone please help me by explaining the buffer overflow
vulnerability ?

Thanks in advance.

Munawar Hafiz
Graduate Student
University of Illinois



Send instant messages to your online friends http://uk.messenger.yahoo.com