lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: pbieringer at aerasec.de (Dr. Peter Bieringer)
Subject: more segfaults on Redhat 6.x when passing
 "/proc/misc" as a parameter

--On Dienstag, 29. Oktober 2002 08:26 +0200 Pekka Savola
<pekkas@...core.fi> wrote:

> On Mon, 28 Oct 2002, Day Jay wrote:
>> Hi, "more" segfaults when you pass "/proc/misc" to it
>> as a parameter. This happens on my Redhat 6.0 and my
>> Redhat 6.2 box. More is setuid root. See below:
> [...]
> 
> This appears to be very bogus.  'more' is never setuid unless you made it 
> so...
> 
> I didn't manage to segfaul 'more' on RHL62 box either..

But me here as "root" and as a normal user.
Using kernel-2.2.22-6.2.2 with openwall patch and libsafe-1.3
Tested on 2 systems.

BTW: cat and less are ok.

strace:

stat("/proc/misc", {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
open("/proc/misc", O_RDONLY)            = 3
read(3, "134 apm\n135 rtc\n", 2)        = 16
read(3, "", 4294967282)                 = 0
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x24a000
_llseek(3, 0, [0], SEEK_SET)            = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++

ltrace:

__xstat(3, "/proc/misc", 0xbffff9f0)              = 0
fopen("/proc/misc", "r")                          = 0x08052570
fread(0xbffff9d6, 2, 1, 0x08052570)               = 8
fseek(0x08052570, 0, 0, 0x08052570, 0xbffffc0c)   = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++


gdb/core doesn't show anything useful

Reading symbols from /lib/libdl.so.2...done.
Reading symbols from /lib/ld-linux.so.2...done.
#0  0x70612034 in ?? ()
(gdb) bt
#0  0x70612034 in ?? ()
(gdb) bt
#0  0x70612034 in ?? ()
(gdb) quit



        Peter

--
Dr. Peter Bieringer                        Phone: +49-8102-895190
AERAsec Network Services and Security GmbH   Fax: +49-8102-895199
Wagenberger Stra?e 1                      Mobile: +49-174-9015046
D-85662 Hohenbrunn                   mailto:pbieringer@...asec.de
Germany                           Internet: http://www.aerasec.de
PGP/GPG:  http://www.aerasec.de/wir/publickeys/PeterBieringer.asc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021029/300db318/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ