The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: ld.so buffer overflow

> > This message is to alert everyone that there is a dangerous buffer
> > overflow situation in ld.so and ld-linux.so.  There will be an advisory
> > posted to the appropriate security lists and newsgroups sometime tomorrow.  

I have applied a slightly modified version of Alans Patch to ld.so 1.9.2.
ld.so.c called arg_remap instaed of argv_remap and I have
changed one argv[0] to argv0.

As the DNS-Problems also hit ftp.suse.com, I currently cannot check
the bug-fix directory of S.u.S.E. But I expect the new ld.so-Binary to
be somewhere near ftp://ftp.suse.com/pub/suse_update/suse_50/ldso/
in the next two hours. (I hope I got the URL right.)

Thanks a lot,

Florian La Roche


--- d-link/boot1.c
+++ d-link/boot1.c	1997/07/17 12:38:34
@@ -114,10 +114,12 @@
 
 #define ALLOW_ZERO_PLTGOT
 
+#define ELF_LDSO_IMAGE "/lib/ld-linux.so.1"
+
 static char * _dl_malloc_addr, *_dl_mmap_zero;
 char * _dl_library_path = 0; /* Where we look for libraries */
 char *_dl_preload = 0; /* Things to be loaded before the libs. */
-char *_dl_progname = "/lib/ld-linux.so.1";
+char *_dl_progname = ELF_LDSO_IMAGE;
 static char * _dl_not_lazy = 0;
 static char * _dl_warn = 0; /* Used by ldd */
 static char * _dl_trace_loaded_objects = 0;
@@ -171,6 +173,45 @@
 #endif
 
 /*
+ *	Stop argv0 overflowing vsprintf, but also try to stop false positives
+ *	We obey the following rule
+ *
+ *	If namesize < 256  keep
+ *	If name from last / < 256 use that
+ *	else use ELF_LDSO_IMAGE
+ *
+ *	This ensures /very/long/stupid/nfs/path/we/often/get/foobarcmd
+ *	comes out at least as.  
+ *
+ *	foobarcmd: someerror
+ *
+ *	Even if we fix vsprintf to be vsnprintf (which we should), this
+ *	ought to be kept to help make real size limited errors clearer.
+ */
+ 
+static char *argv_remap(char *ptr)
+{
+	char *tmp;
+	if(strlen(ptr)<256)
+		return ptr;
+	if(!*ptr)
+		return ptr;
+	tmp=ptr+strlen(ptr)-1;
+	/*
+	 *	Walk back down the chain until we find a slash
+	 */
+	while(tmp>=ptr && *tmp!='/')
+		tmp--;
+	/*
+	 *	No slash, or too long after slash and Im not playing so nyah
+	 */
+	if(*tmp!='/')
+		return ELF_LDSO_IMAGE;
+	if(strlen(tmp)>256)	/* Not off by 1 .. strlen includes the / */
+		return ELF_LDSO_IMAGE;
+	return tmp+1;
+}
+/*
  * This stub function is used by some debuggers.  The idea is that they
  * can set an internal breakpoint on it, so that we are notified when the
  * address mapping is changed in some way.
@@ -507,7 +548,7 @@
   }
 
   if (argv[0])
-    _dl_progname = argv[0];
+    _dl_progname = argv_remap(argv[0]);
 
   /* Now we need to figure out what kind of options are selected.
    Note that for SUID programs we ignore the settings in LD_LIBRARY_PATH */
--- ld-so/ld.so.c
+++ ld-so/ld.so.c	1997/07/17 12:43:08
@@ -149,6 +149,46 @@
 }
 #endif
 
+/*
+ *	Stop argv0 overflowing vsprintf, but also try to stop false positives
+ *	We obey the following rule
+ *
+ *	If namesize < 256  keep
+ *	If name from last / < 256 use that
+ *	else use LDSO_NAME
+ *
+ *	This ensures /very/long/stupid/nfs/path/we/often/get/foobarcmd
+ *	comes out at least as.  
+ *
+ *	foobarcmd: someerror
+ *
+ *	Even if we fix vsprintf to be vsnprintf (which we should), this
+ *	ought to be kept to help make real size limited errors clearer.
+ */
+ 
+static char *argv_remap(char *ptr)
+{
+	char *tmp;
+	if(strlen(ptr)<256)
+		return ptr;
+	if(!*ptr)
+		return ptr;
+	tmp=ptr+strlen(ptr)-1;
+	/*
+	 *	Walk back down the chain until we find a slash
+	 */
+	while(tmp>=ptr && *tmp!='/')
+		tmp--;
+	/*
+	 *	No slash, or too long after slash and Im not playing so nyah
+	 */
+	if(*tmp!='/')
+		return LDSO_IMAGE;
+	if(strlen(tmp)>256)	/* Not off by 1 .. strlen includes the / */
+		return LDSO_IMAGE;
+	return tmp+1;
+}
+
 void
 shared_loader(int func, ...)
 {
@@ -205,12 +245,14 @@
 	save_mapinfo(mapinfo);
 #endif
 	argv0 = va_arg(ap, char *);
+	argv0 = argv_remap(argv0);
 	__environ = va_arg(ap, char **);
 	__SHARED_LIBRARIES__ = va_arg(ap, struct libentry **);
 	_SHARABLE_CONFLICTS__ = va_arg(ap, struct fixuplist *);
 	if (func == FUNC_LINK_AND_CALLBACK)
 	  callback = va_arg(ap, callbackptr);
 	va_end(ap);
+	
 	break;
     default:
 	/* you want me to do what? */
@@ -226,7 +268,8 @@
     /* find out who we are, in case somebody wants to know */
     if (!argv0 && !(argv0 = getenv(LDD_ARGV0)))
 	argv0 = LDSO_IMAGE;
-
+    argv0=argv_remap(argv0);
+    
     /* hmm, you want your own configuration, do you? */
     if (getuid() == geteuid() && getgid() == getegid())
     {
@@ -322,6 +367,11 @@
 		.text section. This is passed to ldpreload() below */
 	    if (preload || callback)
 	    {
+	    	if(nlibs==11)
+	    	{
+	    		fdprintf(2, "%s: too many preloads\n",argv0);
+	    		exit(EXIT_FATAL);
+	    	}
 	        libs[nlibs] = alloca(strlen(buffer)+1);
 	        strcpy(libs[nlibs], buffer);
 	        nlibs++;


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .