Hi,
I've spent the half night staring at the devilish my_getpwuid and my_getgrgid functions
trying to find out a way to avoid actual and future potential buffer overflow problems
without breaking existing code.
Finally I've found a not intrusive way to do this that surely doesn't break existing code
and fixes a couple of problems too.
The attached patch:
1) changes the behaviour of my_getpwuid and my_getgrgid to avoid potetntial buffer overflows
2) fixes all occurences of this function calls in tar.c , id.c , ls.c, whoami.c, logger.c, libbb.h.
3) The behaviour of tar, ls and logger is unchanged.
4) The behavior of ps with somewhat longer usernames messing up output is fixed.
5) The only bigger change was the increasing of size of the buffers in id.c to avoid
false negatives (unknown user: xxxxxx) with usernames longer than 8 chars.
The value i used ( 32 chars ) was taken from the tar header ( see gname and uname).
Maybe this buffers can be reduced a bit ( to 16 or whatever ), this is up to you.
6) The increase of size of the binary is not so dramatic:
size busybox
text data bss dec hex filename
239568 2300 36816 278684 4409c busybox
size busybox_fixed
text data bss dec hex filename
239616 2300 36816 278732 440cc busybox
7) The behaviour of whoami changed:
actually it prints out an username cut down to the size of the buffer.
This could be fixed by increasing the size of the buffer as in id.c or
avoid the use of my_getpwuid and use getpwuid directly instead.
Maybe this colud be also remain unchanged......
Please apply if you think it is ok to do so.
The diff applies on today's cvs tarball (2004-08-25).
Thanks in advance,
Ciao,
Tito
Unfortunatelly I've not followed the last two or three weeks commits (new
semester started and so now I rarely have time to fix my personal bridge)
but tonight I synched my tree and immediately noticed a rather nasty bug!
[Using libbb/interface.c:1.24]
# grep eth0 /proc/net/dev | xargs
eth0:311708397 237346 1670 0 1789 1670 0 0 22580308 120297 0 0 0 102 0 0
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:20:AF:7C:EA:B7
inet addr:10.0.0.1 Bcast:10.0.0.127 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:5 Base address:0x320
All values `ifconfig' is showing are `zeroed' -- I quickly looked at the
last commits I missed and noticed that there were a commit relating to
ifconfig, libbb/interface.c:1.23->1.24 (PatchSet 4338).
I've reversed the patch and now everything is working again. I compared
the get_name's return values from the 1.23 and 1.24 and quickly noticed
that the new revision is leaving `p' right on the sep while the rev 1.23
was leaving it right on the starting of the values...
1-line, 1/3-minute patch attached :-)
with a quick conversion you will see that 132608 == 0x20600
so noticed that the elif will never be matched !
Apparently there was already a try to modify this in CVS which
was reverted (it was plain wrong).
I don't know when __kernel_old_dev_t is needed, but with a 2.6.7
or a 2.6.8 this is __kernel_dev_t wich is needed.
I corrected this with the following patch but maybe older 2.6
still need __kernel_old_dev_t ?
I think this should be corrected before 1.0.
Thanks
Aurel
Hi to all,
This patch is useful for:
1) remove an unused var from extern char *find_real_root_device_name(const char* name)
changing it to extern char *find_real_root_device_name(void).
2) fixes include/libbb.h, coreutils/df.c, util-linux/mount.c and util-linux/umount.c accordingly.
3) fixes a bug, really a false positive, in find_real_root_device_name() that happens if
in the /dev directory exists a link named root (/dev/root) that should be skipped but
is not. This affects applets like df that display wrong results
On Sat, Jun 19, 2004 at 10:57:37PM +0200, Bastian Blank wrote:
> The following patch changes klogd to use openlog/syslog themself
> instead of calling syslog_msg which always calls the triple
> openlog/syslog/closelog.
Updated patch: get rid of syslog_msg entirely. Request from Erik Andersen.
Bastian
The linux kernel doesnt allow hard links to directories, SUS says its
implementation specific.
cramfs gives empty directories and 0 length files the same node it
makies it difficult to distinguish from hard links.
This is a bulk spelling fix patch against busybox-1.00-pre10.
If anyone gets a corrupted copy (and cares), let me know and
I will make alternate arrangements.
Erik - please apply.
Authors - please check that I didn't corrupt any meaning.
Package importers - see if any of these changes should be
passed to the upstream authors.
I glossed over lots of sloppy capitalizations, missing apostrophes,
mixed American/British spellings, and German-style compound words.
What is "pretect redefined for test" in cmdedit.c?
Good luck on the 1.00 release!
- Larry
Hi.
Last changes (rev 1.12) to recursive_actions() by Christian Grigis
have problem.
Test for demonstrate:
$ mkdir aaa bbb ccc
$ su
# chown root bbb
# chmod 700 bbb
# exit
$ busybox chmod 777 -R .
./bbb: Permision denied
But "./ccc" mode not changed. Previous variant works fine,
errors skiped and continued recursion.
--w
vodz
Hello everyone,
Busybox's insmod fails to locate a module when that module is the only one
existing in the /lib/modules directory (with a unique name).
Example:
# find /lib/modules/ -type f
/lib/modules/kernel/drivers/char/bios.o
# insmod bios
insmod: bios.o: no module by that name found
# touch /lib/modules/dummy
# find /lib/modules/ -type f
/lib/modules/kernel/drivers/char/bios.o
/lib/modules/dummy
# insmod bios
Using /lib/modules/kernel/drivers/char/bios.o
As long as there is another file in the /lib/modules directory, insmod
finds it OK.
I tracked the problem down to 'check_module_name_match()' in insmod.c:
It returns TRUE when a match is found, and FALSE otherwise. In the case
where there is only one module in the /lib/modules directory (or more that
one module, but all with the same name), 'recursive_action()' will return
TRUE and we end up on line 4196 in 'insmod.c' which returns an error.
[The reason it works with more than one module with different
names is that in this case there will always be one not matching,
'recursive_action()' will return FALSE and we end up in line 4189.]
Now, from the implementation of 'recursive_action()' and from other
usages of it (tar.c, etc.), it seems to me that FALSE should be returned
to indicate that we want to stop the recursion, so TRUE and FALSE should
be inverted in 'check_module_name_match()'.
At the same time, 'recursive_action()' continues to recurse even after
the recursive call has returned FALSE; again in my understanding and
other usages of it, we can safely stop recursing at this point.
Here is my patch against 1.00-pre8:
I've noticed a bug in the "autowidth" feature more, and is probably in
others. The call to the function get_terminal_width_height() passes
in a file descriptor but that file descriptor is never used, instead
the ioctl() is called with 0. In more_main() the call to
get_terminal_width_height() passes 0 as the file descriptor instead of
fileno(cin). This isn't a problem when you more a file (e.g. "more
/etc/passwd") but when you pipe a file to it (e.g. "cat /etc/passwd |
more") the size of the terminal cannot be determined because file
descriptor 0 is not a terminal. The fix is simple, I've attached a
patch for more.c and get_terminal_width_height.c.
BAPper
The off_t type is not a consistent size; it depends on the kernel options
(something about large file support). Therefore, the format string for
printing an address is not always the same.
a directory into itself. It is harder to do this correctly
than it appears. Not trying at all seems a better compromise
for the time being, untill we can implement this correctly.
As Manuel points out, this is a flawed fix, and doesnt fix the
following:
mkdir -p cpa cpb cpc
cp -a cpa cpa/cpb/cpc
Attached what appears to be a more sane fix. Apply on top of previous.
Please confirm sanity.
I was adding -s/--symbolic-link support to busybox cp when I noticed a
bug with -r/-a. Test case:
mkdir -p test/out
cd test
busybox cp -a * out/
Will never return until we run out of open files or similar.
Coreutils cp on the other hand will error with "cannot copy a directory,
`out', into itself, `out'". Patch attached.
with 2.6.x asm/posix_types.h, which has done singularly evil thing
by yanking __kernel_dev_t and renaming it. The loop interface was
really poorly designed in the first place. The new 64 bit loop
interface looks to be somewhat less horrible, too bad it is only
present in 2.6.x kernels.
-Erik
out during the allocation process. When vodz changed it to be allocated on the
stack, he forgot to explicitly zero it, leaving its value filled with whatever
used to be sitting on the stack. It would garbage values, depending on the
garbage that happened to be sitting on the stack when the function was called.
The result was that applets using bb_getopt_ulflags() were showing
unpredictable behavior (such as segfaults), which naturally broke many things.
device ID iff the named file is a character or block special device. Otherwise
it is meaningless junk, in which case st_dev should be used. This was done
incorrectly, which could cause mount to display bogus mount info.
-Erik
cp does not truncate existing destinations. That is, after
running
echo foo > foo
echo fubar > fubar
cp foo fubar
the contents of fubar are
foo
r
instead of
foo
function as there is no gracefull way of handling failures.
Rename bb_getport to bb_lookup_port, allow a default port to be
specified so it always returns a correct value.
Modify ftpgetput/rdate/wget to use the new interface.
wget/rdate now use etc/services with a falback default value.
archive_xread can be replaced with bb_full_read, and archive_copy_file
with bb_copyfd*
bb_copyfd is split into two functions bb_copyfd_size and bb_copyfd_eof,
they share a common backend.
in order to fix the problems with round robin DNS reported
by Andrew Flegg:
http://busybox.net/lists/busybox/2003-October/009579.html
This removes the ipv6 specific xconnect dns lookups. I do
not see why that would need to be special cased for ipv6 as
was done, but that will just have to be tested.
So IPV6 people -- please test this change!
-Erik
In BusyBox v1.00-pre2,
commands like ls, df with -h option report a wrong file size for files larger than 4GBtye!!
For example,
when I execute 'ls -l', it reports
-rw-r--r-- 1 root root 5368709120 Aug 17 2003 large_stream.tp
when I execute 'ls -lh', I expect that
-rw-r--r-- 1 root root 5.0G Aug 17 2003 large_stream.tp
but it reports
-rw-r--r-- 1 root root 1.0G Aug 17 2003 large_stream.tp
I fixed this bug that...
Line 31 in libbb/human_readable.c and line 275 include/libbb.h
const char *make_human_readable_str(unsigned long size
=> const char *make_human_readable_str(unsigned long long size
It's OK!
I've reported this bug in April and it still
exists in 1.00-pre2. So I made patches for
both 0.60.x and 1.00-pre2. The patch is very
simple, just use strncmp instead of strcmp.
Please apply if it is OK.
Here's the procedure to test this problem:
Create a executable with very long name, say
'test_1234567890123456' and execute it. Try
using 'killall' or 'pidof' to find/kill this
program. Without this patch, you can't find
the program.
This moment have algoritmicaly problem, not overflow:
strcat(wrapped, wrapped) - may be looped.
Hand patch:
- else if (strstr(strcat(wrapped, wrapped), newmono))
+ else {
+ safe_strncpy(wrapped + lenwrap, wrapped, lenwrap + 1);
+ if (strstr(wrapped, newmono))
+}
--w
vodz
this patch fixes run_parts when it's called by ifupdown. 1) argv has to be a
NULL terminated char* array, not just a string. 2) run_parts now explicitly
sets the environment. this environment is populated from the
/etc/network/interfaces config file and is needed by the scripts in
/etc/network/if-pre-up.d/. when run-parts is called from the command line the
environment is taken from the current process.
Vladimir Oleynik then wrote:
You can simplify this if use:
+ bb_xasprintf(&buf[0], "/etc/network/if-%s.d", opt);
+ buf[1] = NULL;
+
+ run_parts(&buf, 2, environ);
+ free(buf[0]);
--w
vodz
Hi.
Last patch have new libbb function
vfork_rexec() for can use daemon() to uClinux system.
This patched daemons: syslog, klogd, inetd, crond.
This not tested! I havn`t this systems.
Also. Previous patch for feature request MD5 crypt password for
httpd don`t sended to this mailist on 07/15/03
(mailist have Pytom module problem?).
The previous patch included, and have testing.
--w
vodz
I've found a possible bug in libbb/interface.c, in function
if_readlist_proc(). This function calls get_name(), and passes
as an argument 'name', a buffer of 16 bytes (IFNAMSIZ). The
function get_name(), however, may use more than 16 bytes,
when it is searching for aliases. Even if you don't have an
alias interface, you can run into trouble if the interface
has received more than 99999999 bytes, in which case the
space between the interface name and the rx stats
disappears, as in the /proc/net/dev example below:
wan0.200:264573315 462080 ...
In this case get_name() correctly identifies the interface name
as "wan0.200", but to do that it uses 18 bytes of the 'name'
buffer, which could lead to an unpredictable error.
A simple solution would be to increase the size of the buffer:
Hello, I think the test for an unconfigured httpd is wrong in
the CVS (busybox-unstable-20030620.tar.bz2)
flg_deny_all is default 0
vodz then wrote:
Oops. You are right.
Also, this mistake haved from two place.
Last patch rewroted to my new get_ularg() function for overcompensate size
from this error found ;-)
Manuel,
I rewrite bb_getopt_ulflags() function for more universal usage.
My version support now:
- options with arguments (optional arg as GNU extension also)
- complementaly and/or incomplementaly and/or incongruously and/or list
options
- long_opt (all applets may have long option, add supporting is trivial)
This realisation full compatibile from your version.
Code size grow 480 bytes, but only coreutils/* over compensate this size
after using new function. Last patch reduced over 800 bytes and not full
applied to all. "mkdir" and "mv" applets have long_opt now for demonstrate
trivial addition support long_opt with usage new bb_getopt_ulflags().
Complementaly and/or incomplementaly and/or incongruously and/or list options
logic is not trivial, but new "cut" and "grep" applets using this logic
for examples with full demostrating. New "grep" applet reduced over 300
bytes.
Mark,
Also. I removed bug from "grep" applet.
$ echo a b | busybox grep -e a b
a b
a b
But right is printing one only.
--w
vodz
New complex patch for decrease size devel version. Requires previous patch.
Also removed small problems from dutmp and tar applets.
Also includes vodz' last_patch61_2:
Last patch correcting comment for #endif and more integrated
with libbb (very reduce size if used "cat" applet also).
Requires last_patch61 for modutils/config.in.
Hi, Erik.
my_getpw(uid/gid) and applets used it have problem:
if username for uid not found, applets can`t detect it
(but code pessent). Also "%8ld " format is bad:
spaces not required (applets have self format
or spec format (tar applet) and overflow for "id" applet...)
This problem also pressent in stable version.
Patch for unstable in attach.
--w
vodz
- Applied Joel Coltoff's xconnect patch:
On both my host system and with mipsel-linux for my embedded systems
the function getservbyname() gives the port number already in host order.
In fact, this is how it was used by rdate in version 0.60.3. The snapshot
I have of the development tree from July 12, 2002 takes the port number
and stuffs it into htons() before it uses it. This causes bugs in rdate,
telnet and wget. This patch fixes that.
#49: I found one memory overflow and memory leak in "ln" applet.
Last patch reduced also 54 bytes. ;)
#50: I found bug in loginutils/Makefile.in.
New patch have also new function to libbb and
aplied this to applets and other cosmetic changes.
xconnect helper routine which does:
-address and port resolving
-tries to connect to all resolved addresses until connected
-uses getaddrinfo, so works for IPv6 too
This patch also ports rdate, telnet, and wget to use the new
xconnect function. Thanks Bart!
IPV6 support to busybox. This patch does the following:
* Add IPv6 support to libbb
* Enable IPv6 interface address display
* Add IPv6 config option
* Adds ping6, an adaptation of the ping applet for IPv6
* Adds support routines for ping6:
- xgethostbyname2
- create_icmp6_socket
* Adds ifconfig support for IPv6
* Add support IPv6 to netstat
* Add IPv6 support to route
Thanks Bart!
When DEBUG is defined
1. need to include resolv.h (for _resinit())
2. remove _() call around string. It appears to be a remnant of i18n or some such notion
the busybox development tree. This eliminates the use of recursive make, and
once again allows us to run 'make' in a subdirectory with the expected result.
And things are now much faster too. Greatly improved IMHO...
-Erik