From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27053 invoked from network); 29 Jul 2021 03:54:12 -0000 Received: from 1ess.inri.net (216.126.196.35) by inbox.vuxu.org with ESMTPUTF8; 29 Jul 2021 03:54:12 -0000 Received: from MTA-15-3.privateemail.com ([198.54.122.111]) by 1ess; Wed Jul 28 15:39:00 -0400 2021 Received: from mta-15.privateemail.com (localhost [127.0.0.1]) by mta-15.privateemail.com (Postfix) with ESMTP id EF3E618000B9 for <9front@9front.org>; Wed, 28 Jul 2021 15:38:50 -0400 (EDT) Received: from localhost (unknown [10.20.151.241]) by mta-15.privateemail.com (Postfix) with ESMTPA id 380CF18000A0 for <9front@9front.org>; Wed, 28 Jul 2021 15:38:50 -0400 (EDT) Date: Wed, 28 Jul 2021 12:38:42 -0700 From: Anthony Martin To: 9front@9front.org Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Virus-Scanned: ClamAV using ClamSMTP List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: overflow-preventing open-source full-stack hypervisor-oriented framework Subject: [9front] commit df04ea8d6c2e1e75307a77f2b086a836f480ab72 Reply-To: 9front@9front.org Precedence: bulk +char bin[] = "/bin"; ... char buf[32]; ... + buf[0] = '/'; + buf[1+read(open("/env/cputype", OREAD|OCEXEC), buf+1, sizeof buf - 5)] = '\0'; + strcat(buf, bin); + bind(buf, bin, MAFTER); That's an out of bounds write if $cputype has a length greater than or equal to (sizeof buf - 5): strcat will write a NUL just past the end of buf. Should be sizeof buf - 6. Cheers, Anthony