Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 14 Sep 2017 15:39:35 -0500
From: Will Dietz <w@...z.org>
To: musl@...ts.openwall.com
Subject: posix_spawnp stack overflow/corruption by child when PATH is large?

Hi,

I believe there is a bug in posix_spawn/execvpe, please take a look and confirm
or kindly let me know if I'm mistaken and accept my apologies :).

It looks like __posix_spawnx calls clone() with a 1024-byte stack buffer
(allocated from its own stack), which is insufficient to handle stack
allocations performed
in execvpe which are something around a few bytes more than NAME_MAX+PATH_MAX.

This path is taken when using posix_spawnp, and the problem exists on
1.1.16 and latest git.

For what it's worth I tracked this down from a crash in 'bison' when
invoking m4,
but I've had success reproducing it with the following demo program
and driver script:

-------------------------------------------
#include <spawn.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>

extern char **environ;

int main() {

  pid_t p;
  char *argv[] = {"sh", "-c", "echo Hello", NULL};
  int s, status;
  s = posix_spawnp(&p, "sh", NULL, NULL, argv, environ);
  if (s) {
    perror("posix_spawn");
    exit(1);
  }

  s = waitpid(p, &status, 0);

  printf("pid: %d, s: %d, status: %d\n", p, s, status);

  return 0;
}
--------------

And little shell script to create a suitably large PATH (mostly to
demonstrate what I mean, not for unmodified use):
---------------
#!/bin/sh

SLASH_100_As="/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
SUFFIX="/123456789012345678901234567" #1234567890" #1234567890"

VAR="/bin:$SUFFIX"
for x in `seq 10`; do
  VAR="${SLASH_100_As}:$VAR"
done

echo $VAR
echo $VAR|wc -c

# Works fine with normal PATH
~/cur/musl-spawn/test
~/cur/musl-spawn/test

# Crashes when PATH is ~1050 characters
PATH=$VAR \
~/cur/musl-spawn/test
--------------

Where "~/cur/musl-spawn/test" is the test program compiled against musl.

I cannot speak regarding any security implications, but since this may
grant some measure of stack-scribbling-powers it seems to warrant
being given brief attention in this context.

An easy fix is to bump the size of the 'char stack[1024]' in
src/process/posix_spawn.c to a suitable value-- 8096 is overkill but
does the trick, for example.

Please let me know if I'm missing something or if details are not clear.

Thanks!

~Will

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.