Hi,
I've spent the half night staring at the devilish my_getpwuid and my_getgrgid functions
trying to find out a way to avoid actual and future potential buffer overflow problems
without breaking existing code.
Finally I've found a not intrusive way to do this that surely doesn't break existing code
and fixes a couple of problems too.
The attached patch:
1) changes the behaviour of my_getpwuid and my_getgrgid to avoid potetntial buffer overflows
2) fixes all occurences of this function calls in tar.c , id.c , ls.c, whoami.c, logger.c, libbb.h.
3) The behaviour of tar, ls and logger is unchanged.
4) The behavior of ps with somewhat longer usernames messing up output is fixed.
5) The only bigger change was the increasing of size of the buffers in id.c to avoid
false negatives (unknown user: xxxxxx) with usernames longer than 8 chars.
The value i used ( 32 chars ) was taken from the tar header ( see gname and uname).
Maybe this buffers can be reduced a bit ( to 16 or whatever ), this is up to you.
6) The increase of size of the binary is not so dramatic:
size busybox
text data bss dec hex filename
239568 2300 36816 278684 4409c busybox
size busybox_fixed
text data bss dec hex filename
239616 2300 36816 278732 440cc busybox
7) The behaviour of whoami changed:
actually it prints out an username cut down to the size of the buffer.
This could be fixed by increasing the size of the buffer as in id.c or
avoid the use of my_getpwuid and use getpwuid directly instead.
Maybe this colud be also remain unchanged......
Please apply if you think it is ok to do so.
The diff applies on today's cvs tarball (2004-08-25).
Thanks in advance,
Ciao,
Tito
dev_t. This is especially important now that the user space concept of a dev_t
and the kernel concept of a dev_t are divergant. The only bit of user space
allowed to know the number of major and minor bits is include/sys/sysmacros.h
(i.e. part of libc). When used with a current C library and a 2.6.x kernel,
this fix should allow BusyBox to support wide device major/minor numbers.
-Erik
Hello,
I found and patched 2 more bugs. The first is a misplaced semi-colon. The second
one is a buffer overflow. I doubt the buffer overflow is triggered in real life.
But you never know what those wily hackers are up to.
Thanks,
Steve Grubb
This is a bulk spelling fix patch against busybox-1.00-pre10.
If anyone gets a corrupted copy (and cares), let me know and
I will make alternate arrangements.
Erik - please apply.
Authors - please check that I didn't corrupt any meaning.
Package importers - see if any of these changes should be
passed to the upstream authors.
I glossed over lots of sloppy capitalizations, missing apostrophes,
mixed American/British spellings, and German-style compound words.
What is "pretect redefined for test" in cmdedit.c?
Good luck on the 1.00 release!
- Larry
init_archive_deb_data()
We want to filter for data.tar.* in the AR file not the TAR
file, else we get nothing.
all_control_list()
Make the 'extensions' array of control file names a global so it
can be used in unpack_package as well. Name the global
all_control_files. Don't hard code the length of
all_control_files but instead used sizeof.
unpack_package()
Only unpack the control files we are interested in (from
all_control_files). Extract the data.tar.gz into / rather than
the current directory.
dpkg_main()
Configure packages in a second pass so all the packages being
installed are unpacked before configuring.
Some purely cosmetic changes:
header
update list of differences since two of them are no longer true.
The .control file is no longer stored as a result of this patch
-- it was redundant since the info is in status. New packages
appear to be added to the end of the status file now rather than
the start.
remove_package()
Make message printing optional, so we can avoid a redundant
message when replacing/upgrading a package. When we do print
stuff then include the version number.
purge_package()
Print "Purging xxx (yyy) ..." message like the other actions.
configure_package()
Add "..." to "Setting up" message to be consistent with other
actions.
archive_xread can be replaced with bb_full_read, and archive_copy_file
with bb_copyfd*
bb_copyfd is split into two functions bb_copyfd_size and bb_copyfd_eof,
they share a common backend.
open_transformer(), common code for pipe+fork.
Function pointer for read() no longer needed.
Allow inflate to be initialised with a specified buffer size to avoid
over-reading.
Reset static variables in inflate_get_next_window to fix a bug where
only the first file in a .zip would be be extracted.
Hi Glenn.
I analysed BSS size gzip applet and found may be mistake:
updcrc() checking if (crc_table_empty) but not resetted this var.
This do make slow gzip applet ;-)
--w
vodz
Use the old fork() method of tar compression support, rather than
read_bz2....
- (*uncompress)(int in, int out) seems like a more natural interface
for compression code.
- it might improve performance by seperating the work into one cpu
bound and one io bound process.
- There is extra code required to do read_[gz|bunzip] since (*uncompress)(int in,
int out) will normally be used by the standalone compression applet.
There have been problems with this method so if you see a "Short read"
error let me know.
This hides a bug related to the new bunzip code in the tar and dpkg[-deb]
applets.
It will also reduce compile time a little as some unused files wont be
compiled.
the busybox menuconfig triggered my "inacceptable number of spelling mistakes"
upper level, so I decided to make a patch ;-)
I also improved some wording to describe some things in a better way.
Many thanks for an incredible piece of software!
Andreas Mohr, random OSS developer
Hello Rob,
Here's a patch to your bunzip-3.c file. Nice work btw.
One minor bug fix... checking for error return when read()ing.
Some size/performance optimizations as well. One instance of
memset() seems unnecssary. You might want to take a look.
Anyway, on my machine, decompressing linux-2.6.0-test7.tar.bz2
to /dev/null gave the following times:
bunzip-3.c bzcat (system) bunzip-3.c (patched)
real 0m24.420s 0m22.725s 0m20.701s
user 0m23.930s 0m22.170s 0m20.180s
sys 0m0.070s 0m0.080s 0m0.140s
Size of the patched version is comparable (slightly larger or
smaller depending on compiler flags).
Manuel
The API for using partial writes, as described in my last message, sucked.
So here's a patch against my last patch that changes things so that
write_bunzip_data calls read_bunzip_data itself behind the scenes whenever
necessary. So usage is now just start_bunzip(), write_bunzip_data() until it
returns a negative number, and then the cleanup at the end of
uncompressStream.
It adds 32 bytes to the executable, but it should allow the caller (tar) to be
simplified enough to compensate. Total -Os stripped exe size now 6856 bytes.
Rob
P.S. I attached the whole C file so you don't have to keep incremental
patches straight if you don't want to. :)
P.S. In the version I'm banging on now, I've simplified the license to just
LGPL. I read the OSL a bit more closely and the patent termination clause
would have bit IBM in their counter-suit of SCO if the code in question had
been OSL instead of GPL, and I've decided I just don't want to beta-test
legal code right now.
Need to chdir after the tar file is opened, so make common tar filename
parsing and send the file descriptor rather than filename to
writeTarFile.
Modify the verboseFlag operation to determine wether to display on
stderr or stdout at display time, simpler than doing it in tar_main.
The tar -x command in busybox does not restore the file mode correctly.
The reason is most probably this code in
archival/libunarachive/data_extract_all.c:
chmod(file_header->name, file_header->mode);
chown(file_header->name, file_header->uid, file_header->gid);
chown clears the set*id bits (on current versions of linux :). Flipping
the order around fixes the problem.
(tested with 1.00pre3 from cvs).
directory.
From http://www.gnu.org/manual/tar/html_node/tar_123.html
REGTYPE
AREGTYPE
These flags represent a regular file. In order to be compatible with
older versions of tar, a typeflag value of AREGTYPE should be silently
recognized as a regular file. New archives should be created using
REGTYPE. Also, for backward compatibility, tar treats a regular file
whose name ends with a slash as a directory.
Always preserve creation date
Disable the -p option its for modification date
Remove some cpio header debugging noise
Syncronise file listing behaviour with upstream.
If we read the contents of compressed files within the ar archive,
e.g. control.tar.gz, then file position gets all out of whack, so
it has to be reset before reading thenext header.
Hello all,
This patch adds more "Help" text to the config system. Almost
all applets now have a help entry. Also, I cleaned up the spacing of
the existing text so that things are consistent. This patch is against
this morning's CVS.
Thomas Cameron
CEI Systems, Inc.
bb-tar "cjf" does not create a valid tbz2-archive -- if fact the result is a
plain tar-file (no compression) -- but does not warn about the unrecognized
parameter combination "cj" (bb does not have bzip2-compression yet, right?).
to fix this I have added an error message stating this does not work.
He also reported
cosmetic: versose "-v" does not show any output when used with "create"
which I have now fixed as well.
-Erik
He took a look into the recent reports of tar problems, and found an obvious
typo in last_patch91 from vodz which converted tar to use bb_getopt_ulflags.
complain "unknown file type" if it tries to extract an oldgnu tar file
and TAR_FEATURE_OLDGNU_COMPATABILITY sint defined.
Print a warning if unisupported gnu extensions are encountered.
modified Kbuild system I put into uClibc. With this, there should be no more
need to modify Rules.mak since I've moved all the interesting options into the
config system. I think I've got everything updated, but you never know, I may
have made some mistakes, so watch closely.
-Erik
It seems that under busybox unstable, "tar -c -f - blabla" create
a tar file named "-" instead of writing to stdout.
The included patch should fix this.
New complex patch for decrease size devel version. Requires previous patch.
Also removed small problems from dutmp and tar applets.
Also includes vodz' last_patch61_2:
Last patch correcting comment for #endif and more integrated
with libbb (very reduce size if used "cat" applet also).
Requires last_patch61 for modutils/config.in.
Hi, Erik.
my_getpw(uid/gid) and applets used it have problem:
if username for uid not found, applets can`t detect it
(but code pessent). Also "%8ld " format is bad:
spaces not required (applets have self format
or spec format (tar applet) and overflow for "id" applet...)
This problem also pressent in stable version.
Patch for unstable in attach.
--w
vodz
In most cases, dirname returns the same argument it was given, so this code
works nice, but there's one special case: when the name contains no
dirname, it returns "." (stored statically in the body of itself), and we
get a segfault in attempt to free() it.
This patch fixes this problem.
Also tried to clean up the logic a little, and ensure that read errors
or invalid archives resulted in error returns. This could use a lot more
work... Volunteers?
#49: I found one memory overflow and memory leak in "ln" applet.
Last patch reduced also 54 bytes. ;)
#50: I found bug in loginutils/Makefile.in.
New patch have also new function to libbb and
aplied this to applets and other cosmetic changes.
still needs major attention (i.e. removal).
Removed references to uninitialized variables like progName,
smallMode, noisy, etc. Remove functions and code for handling "small"
decompression mode, since it is all unreachable. Remove
total_{in,out}* counters - they are never used. Remove panic()
function and assert_h and their uses because they are all for "should
never happen" circumstances. Replace internal malloc/free wrappers
with xmalloc and free. Remove conditional in if(foo)free(foo);
situations. Remove bogus
if (sizeof(int) != 4) {
return BZ_CONFIG_ERROR;
}
(...etc...) code and code for handling BZ_CONFIG_ERROR. Someone should
go through and change the applet to use well-defined types when
appropriate - it expects sizeof(short)==2 && sizeof(int)==4. Until
this commit these were explicitly checked for, and the applet would
exit if these types were not the right size. (I think this is wrong
even as an interim solution.)
With gcc 3.1 reduces size of binary on i386-linux by about 700 bytes.
Lightly tested.
the busybox development tree. This eliminates the use of recursive make, and
once again allows us to run 'make' in a subdirectory with the expected result.
And things are now much faster too. Greatly improved IMHO...
-Erik
(bunzip2_main): Read data from standard input if FILE argument is `-' or
omitted.
* include/usage.h (bunzip2_trivial_usage, bunzip2_full_usage): Rewrite.
* testsuite/bunzip2/bunzip2-reads-from-standard-input: New.
This code could be improvemed by
1) supporting more options,
2) Creating a shared crc table with gunzip, or perhaps generated on the fly.
3) Removing any remaining unneccessary code (e.g. if (noisy))
1) ping cleanup (compile fix from this patch already applied).
2) traceroute call not spare ntohl() now (and reduce size);
3) Fix for functions not declared static in insmod, ash, vi and mount.
4) a more simple API cmdedit :))
5) adds "stopped jobs" warning to ash on Ctrl-D and fixes "ignoreeof" option
6) reduce exporting library function index->strchr (traceroute), bzero->memset (syslogd)
Config.h and using gcc's -fno-builtin. There are probably other files
with the similar problems.
Also, if building against uClibc, don't include asm/unistd.h in syscalls.c
and module_syscalls.c.
with mode 0777 in all cases due to usask issues. Thanks to Matt Kraai for
noticing and spotting the culprit. This makes bb tar behave just like GNU
tar once again.
-Erik
change permissions on existing directories. This behavior is contrary to SUSv2
and contrary to GNU tar. Thanks to Matt Kraai for pointing this out. I should
have been much more careful about accepting such a patch.
-Erik
This way, we can new get rid of all that tedious #define rubbish we used to
need to enable specific messages. This way is enormously simpler, and as a
bonus also ends up saving us 96 bytes.
-Erik
Make better use of some libbb functions
New remove dir code to avoid depending on the rm applet
dont use copy_file() it doesnt fail elegantly
Use getopt.
Generate correct /var/lib/dpkg/info/ files
Status file is broken, working on it now