strace bug report
Dmitry V. Levin
ldv at altlinux.org
Sat Feb 28 15:10:32 UTC 2015
Hi,
On Sat, Feb 28, 2015 at 01:18:40PM +0900, Cheolung Lee wrote:
> I have thanksfulness about using strace.
> Yesterday i found a bug in the strace, i guess this is a stack buffer
> overflow.
>
> So i report it. Thank you.
>
> Tested Version : strace-4.9, strace-4.8
> Environment : Ubuntu 14.04.1 LTS x86_64
> Details:
>
> stack buffer overflow in startup_child() strace.c
>
> Input length check could be bypassed using long string without having '/',
> and the strcpy() function in PATH concat processing code starts to
> overwrite stack data.
>
> -------------- TEST PAYLOAD
>
> abc at ubuntu:~/strace-4.9$ ./strace `perl -e 'print "a"x5042'`
> Segmentation fault
Thanks. BTW, there was another way to overflow this pathname buffer.
Both are fixed by commit v4.9-356-g1dbd39e.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20150228/b6b33894/attachment.bin>
More information about the Strace-devel
mailing list