5894082 2000-12-26 13:56 -0500 /63 rader/ Matt Power <mhpower@BOS.BINDVIEW.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-27 21:49 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mhpower@BOS.BINDVIEW.COM
Mottagare: Bugtraq (import) <14524>
Ärende: buffer overflow in libsecure (NSA Security-enhanced Linux)
------------------------------------------------------------
From: Matt Power <mhpower@BOS.BINDVIEW.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200012261856.NAA14791@theta.bos.bindview.com>
Recently the U.S. National Security Agency released a distribution
called Security-enhanced Linux (see http://www.nsa.gov/selinux/).
This includes a modified version of the kernel and some utilities that
provide a new mandatory access control architecture for Linux.
The most recent version that appears to be available is dated last
week, slinux-200012181053-release.tgz. In this distribution, the
find_default_type function in libsecure/get_default_type.c attempts to
extract a type field from the file /etc/security/default_type and copy
it to a result buffer (specifically, to the argument "char **type").
Memory for this result buffer is allocated using malloc, but the
argument to malloc is always one character too small.
For example, the role argument might typically be "sysadm_r" and the
len argument would then be 8. With the initial installation, the first
value of buf would be "sysadm_r:sysadm_t\n". There are no leading
spaces, so i is 0. In the statement
(*type) = (char*) malloc (sizeof(char) *
(strlen(buf)-i-len-1));
the argument to malloc is 18 - 0 - 8 - 1, which is 9. Then,
strcpy ((*type), &buf[i]+len+1);
attempts to copy the 10 characters "sysadm_t\n\0" into the 9-character
buffer.
This patch should address the issue:
*** get_default_type.c.old Thu Nov 30 11:32:58 2000
--- get_default_type.c Tue Dec 26 00:19:04 2000
***************
*** 72,74 ****
/* malloc space for the type */
! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));
if ((*type) == NULL)
--- 72,74 ----
/* malloc space for the type */
! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len));
if ((*type) == NULL)
This patch was sent to the mailing list that the NSA set up for
comments and contributions related to their distribution. We've
received a response and expect that this patch will be incorporated
into a later release. People who follow the above description of the
bug in the slinux-200012181053-release distribution may wish to
incorporate this patch into their own copy of the code. Please note
that our bug report does not describe a direct way to copy untrusted
user input to memory locations beyond the end of a buffer. The main
risk we know of is that, for some lengths of type fields in the
/etc/security/default_type file, a memory location may be modified
that either contains application data (in another malloced buffer), or
contains overhead data that a malloc implementation was relying on.
Matt Power
BindView Corporation, RAZOR Team
mhpower@bos.bindview.com
(5894082) --------------------------------(Ombruten)
Kommentar i text 5896884 av Perry Harrington <pedward@WEBCOM.COM>
5896884 2000-12-27 15:35 -0800 /41 rader/ Perry Harrington <pedward@WEBCOM.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-12-29 00:15 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: pedward@WEBCOM.COM
Mottagare: Bugtraq (import) <14532>
Kommentar till text 5894082 av Matt Power <mhpower@BOS.BINDVIEW.COM>
Ärende: Re: buffer overflow in libsecure (NSA Security-enhanced Linux)
------------------------------------------------------------
From your message, it would appear that the file parser is at fault,
not truncating the newline in the value. If the newline is removed,
like most config file parsers, then the allocation logic is correct.
--Perry
> value of buf would be "sysadm_r:sysadm_t\n". There are no leading
>
> (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));
>
> the argument to malloc is 18 - 0 - 8 - 1, which is 9. Then,
>
> strcpy ((*type), &buf[i]+len+1);
>
> attempts to copy the 10 characters "sysadm_t\n\0" into the 9-character
> buffer.
>
> This patch should address the issue:
>
> *** get_default_type.c.old Thu Nov 30 11:32:58 2000
> --- get_default_type.c Tue Dec 26 00:19:04 2000
> ***************
> *** 72,74 ****
> /* malloc space for the type */
> ! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len-1));
> if ((*type) == NULL)
> --- 72,74 ----
> /* malloc space for the type */
> ! (*type) = (char*) malloc (sizeof(char) * (strlen(buf)-i-len));
> if ((*type) == NULL)
>
>
> Matt Power
> BindView Corporation, RAZOR Team
> mhpower@bos.bindview.com
--
Perry Harrington Director of zelur xuniL ()
perry@webcom.com System Architecture Think Blue. /\
(5896884) --------------------------------(Ombruten)
Bilaga (application/pgp-signature) i text 5896885
5896885 2000-12-27 15:35 -0800 /10 rader/ Perry Harrington <pedward@WEBCOM.COM>
Importerad: 2000-12-29 00:15 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: pedward@WEBCOM.COM
Mottagare: Bugtraq (import) <14533>
Bilaga (text/plain) till text 5896884
Ärende: Bilaga till: Re: buffer overflow in libsecure (NSA Security-enhanced Linux)
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (SunOS)
Comment: For info see http://www.gnupg.org
iD8DBQE6SnzAfK7Bvd0wfuURAtfVAJ9CtgR00ZHJ8UcJbKhHijDRQY8mlQCgsaJL
kGwFl3xt/LtLFL+sQFdCZ9Y=
=RRMF
-----END PGP SIGNATURE-----
(5896885) ------------------------------------------