Hi,
I've spent the half night staring at the devilish my_getpwuid and my_getgrgid functions
trying to find out a way to avoid actual and future potential buffer overflow problems
without breaking existing code.
Finally I've found a not intrusive way to do this that surely doesn't break existing code
and fixes a couple of problems too.
The attached patch:
1) changes the behaviour of my_getpwuid and my_getgrgid to avoid potetntial buffer overflows
2) fixes all occurences of this function calls in tar.c , id.c , ls.c, whoami.c, logger.c, libbb.h.
3) The behaviour of tar, ls and logger is unchanged.
4) The behavior of ps with somewhat longer usernames messing up output is fixed.
5) The only bigger change was the increasing of size of the buffers in id.c to avoid
false negatives (unknown user: xxxxxx) with usernames longer than 8 chars.
The value i used ( 32 chars ) was taken from the tar header ( see gname and uname).
Maybe this buffers can be reduced a bit ( to 16 or whatever ), this is up to you.
6) The increase of size of the binary is not so dramatic:
size busybox
text data bss dec hex filename
239568 2300 36816 278684 4409c busybox
size busybox_fixed
text data bss dec hex filename
239616 2300 36816 278732 440cc busybox
7) The behaviour of whoami changed:
actually it prints out an username cut down to the size of the buffer.
This could be fixed by increasing the size of the buffer as in id.c or
avoid the use of my_getpwuid and use getpwuid directly instead.
Maybe this colud be also remain unchanged......
Please apply if you think it is ok to do so.
The diff applies on today's cvs tarball (2004-08-25).
Thanks in advance,
Ciao,
Tito
Unfortunatelly I've not followed the last two or three weeks commits (new
semester started and so now I rarely have time to fix my personal bridge)
but tonight I synched my tree and immediately noticed a rather nasty bug!
[Using libbb/interface.c:1.24]
# grep eth0 /proc/net/dev | xargs
eth0:311708397 237346 1670 0 1789 1670 0 0 22580308 120297 0 0 0 102 0 0
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:20:AF:7C:EA:B7
inet addr:10.0.0.1 Bcast:10.0.0.127 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:5 Base address:0x320
All values `ifconfig' is showing are `zeroed' -- I quickly looked at the
last commits I missed and noticed that there were a commit relating to
ifconfig, libbb/interface.c:1.23->1.24 (PatchSet 4338).
I've reversed the patch and now everything is working again. I compared
the get_name's return values from the 1.23 and 1.24 and quickly noticed
that the new revision is leaving `p' right on the sep while the rev 1.23
was leaving it right on the starting of the values...
1-line, 1/3-minute patch attached :-)
On Wed Aug 18, 2004 at 06:52:57PM +0800, Matt Johnston wrote:
> I've come across some strange-seeming behaviour when running programs
> under Busybox (1.0.0-rc3) ash. If the child process sets stdin to be
> non-blocking and then exits, the parent ash will also exit. A quick strace
> shows that a subsequent read() from stdin returns EAGAIN (as would be
> expected):
Thanks!
Patch attached.
--w
vodz
Looks like the -D and -H options of the adduser applet aren't handle
properly in BusyBox.
This patch fixes the masks definition for those options according to
there position in the optstring.
Patch against RC2 but should also apply cleanly against CVS.
Bertrand
This bug is in busybox 1.0.0-rc2. When using lash exec
builtin with redirection, the opened file fd keep increasing.
For example, please try the following command with lash.
ls -al /proc/<lash pid>/fd
exec /bin/sh 2>/dev/null
ls -al /proc/<lash pid>/fd
The last 'ls' command output will look like this. The fd
number 4 shouldn't exist.
lrwx------ 1 501 100 64 Aug 13 13:56 4 -> /dev/pts/5
l-wx------ 1 501 100 64 Aug 13 13:56 2 -> /dev/null
lrwx------ 1 501 100 64 Aug 13 13:56 1 -> /dev/pts/5
lrwx------ 1 501 100 64 Aug 13 13:56 0 -> /dev/pts/5
dr-xr-xr-x 3 501 100 0 Aug 13 13:56 ..
dr-x------ 2 501 100 0 Aug 13 13:56 .
This one-line patch fix this problem by setting CLOEXEC flag for
squirrel fd. Please apply.
Joe.C
with a quick conversion you will see that 132608 == 0x20600
so noticed that the elif will never be matched !
Apparently there was already a try to modify this in CVS which
was reverted (it was plain wrong).
I don't know when __kernel_old_dev_t is needed, but with a 2.6.7
or a 2.6.8 this is __kernel_dev_t wich is needed.
I corrected this with the following patch but maybe older 2.6
still need __kernel_old_dev_t ?
I think this should be corrected before 1.0.
Thanks
Aurel
Hello,
function build_dep in modprobe.c assumes that dependencies of one module
have not more than 255 chars;
that is not sufficient in kernel 2.6.7 (alsa sound modules). - Below is
a diff that solves the problem for me.
With regards, Christian Ostheimer
"There seems to be a slight problem with the "mod_strcmp" function in
modprobe.c, it scans for the first occurence of the module name in the
"mod_path" variable and expects it to be the last path element. ie
/lib/modules/2.4.22-debug/kernel/fs/vfat in my example. The comparison
will always fail if mod_path contains another substring matching the
module name."
Robert McQueen wrote
"Although William Barsse's patch fixed mod_strcmp for 2.4 kernels, there
was a remaining problem which prevented it from working for me. I've
just tracked it down - when you enable kernel 2.6 module support it
hard-wired the extension to .ko instead of checking at runtime like the
other places where 2.4 differs from 2.6. The attached patch fixes this
for me."
A question was posted a month ago by Mark Alamo to see if others had
problems with sourcing subscripts within msh. We asked his firm to fix the
msh.c bug he described because we didn't have enough time to do it
ourselves.
When msh.c is executing a compound statement and there is a . command to
source another script file, msh.c will not execute the subscript until it's
completed executing the rest of the compound statement.
His example was this:
Echo "Start" ; . ./subA; echo "mid" ; . ./subB ; echo "end"
subA and subB execute AFTER end is printed in reverse order. The same is
true if the sourced files are inside an if else fi, case esac, or any
compound statement.
Attached is a patch to msh.c. It fixes the problem. Cd to the root of your
busybox tree and execute "patch -p1 < msh.c.patch"
Unfortunately, I won't have more time to work on this so I hope that there
aren't any problems!
Michael Leibow
Senior Software Engineer
Belkin Corporation
fixes two other issues (plus the previous as well) with a 2.4 kernel :
- should be able to modprobe an already loaded module and get 0 return
code :
# modprobe <something> && modprobe <something> && echo "ok" || echo "failed"
....
failed
Well, hope this helps and that I didn't screw up again,
- William
Hi to all,
This patch is useful for:
1) remove an unused var from extern char *find_real_root_device_name(const char* name)
changing it to extern char *find_real_root_device_name(void).
2) fixes include/libbb.h, coreutils/df.c, util-linux/mount.c and util-linux/umount.c accordingly.
3) fixes a bug, really a false positive, in find_real_root_device_name() that happens if
in the /dev directory exists a link named root (/dev/root) that should be skipped but
is not. This affects applets like df that display wrong results
