[Patch] Fix buffer overflow in kill utility

Brian Dessent brian@dessent.net
Sun Feb 27 02:37:00 GMT 2005


In kill.cc there exists the possibility to overflow the "char buf[80]"
array by supplying malformed command line arguments.

An attacker could use this to overwrite the return value on the stack
and execute arbitrary code, but the amount of space available on the
stack for shellcode is approx 108 bytes so you'd have to be mighty
creative to do anything significant with it.  A far-fetched scenario
might be some kind of perl or other CGI script running under Apache that
somehow allows a user-specified signal name to reach the command line of
/bin/kill.  Emphasis on the "far-fetched" part though.

Example:

$ /bin/kill -s `perl -e 'print "A"x200'`       
Segmentation fault (core dumped)

As far as I can tell from CVS history this has existed in kill.cc since
its first version (~5 years.)  Trivial patch below.

2005-02-26  Brian Dessent  <brian@dessent.net>

	* kill.cc (getsig): Use snprintf to prevent overflowing `buf'.
-------------- next part --------------
Index: winsup/utils/kill.cc
===================================================================
RCS file: /cvs/src/src/winsup/utils/kill.cc,v
retrieving revision 1.25
diff -u -p -r1.25 kill.cc
--- winsup/utils/kill.cc	13 Nov 2004 16:30:19 -0000	1.25
+++ winsup/utils/kill.cc	27 Feb 2005 02:29:40 -0000
@@ -87,7 +87,7 @@ getsig (const char *in_sig)
     sig = in_sig;
   else
     {
-      sprintf (buf, "SIG%s", in_sig);
+      snprintf (buf, sizeof(buf), "SIG%s", in_sig);
       sig = buf;
     }
   intsig = strtosigno (sig) ?: atoi (in_sig);



More information about the Cygwin-patches mailing list