Hi,
I've spent the half night staring at the devilish my_getpwuid and my_getgrgid functions
trying to find out a way to avoid actual and future potential buffer overflow problems
without breaking existing code.
Finally I've found a not intrusive way to do this that surely doesn't break existing code
and fixes a couple of problems too.
The attached patch:
1) changes the behaviour of my_getpwuid and my_getgrgid to avoid potetntial buffer overflows
2) fixes all occurences of this function calls in tar.c , id.c , ls.c, whoami.c, logger.c, libbb.h.
3) The behaviour of tar, ls and logger is unchanged.
4) The behavior of ps with somewhat longer usernames messing up output is fixed.
5) The only bigger change was the increasing of size of the buffers in id.c to avoid
false negatives (unknown user: xxxxxx) with usernames longer than 8 chars.
The value i used ( 32 chars ) was taken from the tar header ( see gname and uname).
Maybe this buffers can be reduced a bit ( to 16 or whatever ), this is up to you.
6) The increase of size of the binary is not so dramatic:
size busybox
text data bss dec hex filename
239568 2300 36816 278684 4409c busybox
size busybox_fixed
text data bss dec hex filename
239616 2300 36816 278732 440cc busybox
7) The behaviour of whoami changed:
actually it prints out an username cut down to the size of the buffer.
This could be fixed by increasing the size of the buffer as in id.c or
avoid the use of my_getpwuid and use getpwuid directly instead.
Maybe this colud be also remain unchanged......
Please apply if you think it is ok to do so.
The diff applies on today's cvs tarball (2004-08-25).
Thanks in advance,
Ciao,
Tito
Unfortunatelly I've not followed the last two or three weeks commits (new
semester started and so now I rarely have time to fix my personal bridge)
but tonight I synched my tree and immediately noticed a rather nasty bug!
[Using libbb/interface.c:1.24]
# grep eth0 /proc/net/dev | xargs
eth0:311708397 237346 1670 0 1789 1670 0 0 22580308 120297 0 0 0 102 0 0
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:20:AF:7C:EA:B7
inet addr:10.0.0.1 Bcast:10.0.0.127 Mask:255.255.255.128
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:5 Base address:0x320
All values `ifconfig' is showing are `zeroed' -- I quickly looked at the
last commits I missed and noticed that there were a commit relating to
ifconfig, libbb/interface.c:1.23->1.24 (PatchSet 4338).
I've reversed the patch and now everything is working again. I compared
the get_name's return values from the 1.23 and 1.24 and quickly noticed
that the new revision is leaving `p' right on the sep while the rev 1.23
was leaving it right on the starting of the values...
1-line, 1/3-minute patch attached :-)
with a quick conversion you will see that 132608 == 0x20600
so noticed that the elif will never be matched !
Apparently there was already a try to modify this in CVS which
was reverted (it was plain wrong).
I don't know when __kernel_old_dev_t is needed, but with a 2.6.7
or a 2.6.8 this is __kernel_dev_t wich is needed.
I corrected this with the following patch but maybe older 2.6
still need __kernel_old_dev_t ?
I think this should be corrected before 1.0.
Thanks
Aurel
Hi to all,
This patch is useful for:
1) remove an unused var from extern char *find_real_root_device_name(const char* name)
changing it to extern char *find_real_root_device_name(void).
2) fixes include/libbb.h, coreutils/df.c, util-linux/mount.c and util-linux/umount.c accordingly.
3) fixes a bug, really a false positive, in find_real_root_device_name() that happens if
in the /dev directory exists a link named root (/dev/root) that should be skipped but
is not. This affects applets like df that display wrong results
On Sat, Jun 19, 2004 at 10:57:37PM +0200, Bastian Blank wrote:
> The following patch changes klogd to use openlog/syslog themself
> instead of calling syslog_msg which always calls the triple
> openlog/syslog/closelog.
Updated patch: get rid of syslog_msg entirely. Request from Erik Andersen.
Bastian
The linux kernel doesnt allow hard links to directories, SUS says its
implementation specific.
cramfs gives empty directories and 0 length files the same node it
makies it difficult to distinguish from hard links.
This is a bulk spelling fix patch against busybox-1.00-pre10.
If anyone gets a corrupted copy (and cares), let me know and
I will make alternate arrangements.
Erik - please apply.
Authors - please check that I didn't corrupt any meaning.
Package importers - see if any of these changes should be
passed to the upstream authors.
I glossed over lots of sloppy capitalizations, missing apostrophes,
mixed American/British spellings, and German-style compound words.
What is "pretect redefined for test" in cmdedit.c?
Good luck on the 1.00 release!
- Larry
Hi.
Last changes (rev 1.12) to recursive_actions() by Christian Grigis
have problem.
Test for demonstrate:
$ mkdir aaa bbb ccc
$ su
# chown root bbb
# chmod 700 bbb
# exit
$ busybox chmod 777 -R .
./bbb: Permision denied
But "./ccc" mode not changed. Previous variant works fine,
errors skiped and continued recursion.
--w
vodz
Hello everyone,
Busybox's insmod fails to locate a module when that module is the only one
existing in the /lib/modules directory (with a unique name).
Example:
# find /lib/modules/ -type f
/lib/modules/kernel/drivers/char/bios.o
# insmod bios
insmod: bios.o: no module by that name found
# touch /lib/modules/dummy
# find /lib/modules/ -type f
/lib/modules/kernel/drivers/char/bios.o
/lib/modules/dummy
# insmod bios
Using /lib/modules/kernel/drivers/char/bios.o
As long as there is another file in the /lib/modules directory, insmod
finds it OK.
I tracked the problem down to 'check_module_name_match()' in insmod.c:
It returns TRUE when a match is found, and FALSE otherwise. In the case
where there is only one module in the /lib/modules directory (or more that
one module, but all with the same name), 'recursive_action()' will return
TRUE and we end up on line 4196 in 'insmod.c' which returns an error.
[The reason it works with more than one module with different
names is that in this case there will always be one not matching,
'recursive_action()' will return FALSE and we end up in line 4189.]
Now, from the implementation of 'recursive_action()' and from other
usages of it (tar.c, etc.), it seems to me that FALSE should be returned
to indicate that we want to stop the recursion, so TRUE and FALSE should
be inverted in 'check_module_name_match()'.
At the same time, 'recursive_action()' continues to recurse even after
the recursive call has returned FALSE; again in my understanding and
other usages of it, we can safely stop recursing at this point.
Here is my patch against 1.00-pre8:
I've noticed a bug in the "autowidth" feature more, and is probably in
others. The call to the function get_terminal_width_height() passes
in a file descriptor but that file descriptor is never used, instead
the ioctl() is called with 0. In more_main() the call to
get_terminal_width_height() passes 0 as the file descriptor instead of
fileno(cin). This isn't a problem when you more a file (e.g. "more
/etc/passwd") but when you pipe a file to it (e.g. "cat /etc/passwd |
more") the size of the terminal cannot be determined because file
descriptor 0 is not a terminal. The fix is simple, I've attached a
patch for more.c and get_terminal_width_height.c.
BAPper
The off_t type is not a consistent size; it depends on the kernel options
(something about large file support). Therefore, the format string for
printing an address is not always the same.
a directory into itself. It is harder to do this correctly
than it appears. Not trying at all seems a better compromise
for the time being, untill we can implement this correctly.
As Manuel points out, this is a flawed fix, and doesnt fix the
following:
mkdir -p cpa cpb cpc
cp -a cpa cpa/cpb/cpc
Attached what appears to be a more sane fix. Apply on top of previous.
Please confirm sanity.
I was adding -s/--symbolic-link support to busybox cp when I noticed a
bug with -r/-a. Test case:
mkdir -p test/out
cd test
busybox cp -a * out/
Will never return until we run out of open files or similar.
Coreutils cp on the other hand will error with "cannot copy a directory,
`out', into itself, `out'". Patch attached.
with 2.6.x asm/posix_types.h, which has done singularly evil thing
by yanking __kernel_dev_t and renaming it. The loop interface was
really poorly designed in the first place. The new 64 bit loop
interface looks to be somewhat less horrible, too bad it is only
present in 2.6.x kernels.
-Erik
out during the allocation process. When vodz changed it to be allocated on the
stack, he forgot to explicitly zero it, leaving its value filled with whatever
used to be sitting on the stack. It would garbage values, depending on the
garbage that happened to be sitting on the stack when the function was called.
The result was that applets using bb_getopt_ulflags() were showing
unpredictable behavior (such as segfaults), which naturally broke many things.