From dunstan@freebsd.czest.pl  Sun Feb 13 19:49:59 2005
Return-Path: <dunstan@freebsd.czest.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E041B16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Feb 2005 19:49:58 +0000 (GMT)
Received: from freebsd.czest.pl (silver.iplus.pl [80.48.250.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EDD2643D2D
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Feb 2005 19:49:46 +0000 (GMT)
	(envelope-from dunstan@freebsd.czest.pl)
Received: from freebsd.czest.pl (freebsd.czest.pl [80.48.250.4])
	by freebsd.czest.pl (8.12.10/8.12.9) with ESMTP id j1DJt59r006687
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 13 Feb 2005 19:55:05 GMT
	(envelope-from dunstan@freebsd.czest.pl)
Received: (from dunstan@localhost)
	by freebsd.czest.pl (8.12.10/8.12.9/Submit) id j1DJt46K006686;
	Sun, 13 Feb 2005 19:55:05 GMT
	(envelope-from dunstan)
Message-Id: <200502131955.j1DJt46K006686@freebsd.czest.pl>
Date: Sun, 13 Feb 2005 19:55:05 GMT
From: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
Reply-To: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] Use of uninitialized variables in lpc(8) (SIGSEGV)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         77462
>Category:       bin
>Synopsis:       [PATCH] Use of uninitialized variables in lpc(8) (SIGSEGV)
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 13 19:50:17 GMT 2005
>Closed-Date:    Tue Feb 22 02:58:35 GMT 2005
>Last-Modified:  Tue Feb 22 02:58:35 GMT 2005
>Originator:     Wojciech A. Koszek
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD dunstan.freebsd.czest.pl 5.3-STABLE FreeBSD 5.3-STABLE #0: Sat Feb 12 11:15:23 CET 2005 root@dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME6 i386


Tests made on -STABLE and -CURRENT.

>Description:
lpc(8) uses editline(3) library to handle user input. If data comes from
terminal, it uses el_gets(3) function. Overwise, fgets(3) is used. Structures
for el_* functions have to be initialized before making use of them.
	User may send malicious data throught fgets(3), skipping variables
initialization, and the same, causing lpc to get SIGSEGV.
My analisis has shown it *might* be expoited in theory. lpc(8) is SGID with
EGID == daemon.

>How-To-Repeat:
Repeating is trivial:

$ echo "..:" | lpc

or

$ cat /dev/random | lpc

>Fix:
Solution is very simple. Structures are used for processing data either from
el_gets() or fgets(), so initialization has to be done earlier. Attached
patch [lpc.0.patch] should correct this problem. 


--- lpc.0.patch begins here ---
Index: src/usr.sbin/lpr/lpc/lpc.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/lpr/lpc/lpc.c,v
retrieving revision 1.28
diff -u -r1.28 lpc.c
--- src/usr.sbin/lpr/lpc/lpc.c	13 Oct 2003 07:24:22 -0000	1.28
+++ src/usr.sbin/lpr/lpc/lpc.c	18 Nov 2004 14:23:21 -0000
@@ -162,27 +162,27 @@
 	bp = NULL;
 	el = NULL;
 	hist = NULL;
+
+	el = el_init("lpc", stdin, stdout, stderr);
+	hist = history_init();
+	history(hist, &he, H_EVENT, 100);
+	el_set(el, EL_HIST, history, hist);
+	el_set(el, EL_EDITOR, "emacs");
+	el_set(el, EL_PROMPT, lpc_prompt);
+	el_set(el, EL_SIGNAL, 1);
+	el_source(el, NULL);
+
 	for (;;) {
 		if (fromatty) {
-			if (!el) {
-				el = el_init("lpc", stdin, stdout, stderr);
-				hist = history_init();
-				history(hist, &he, H_EVENT, 100);
-				el_set(el, EL_HIST, history, hist);
-				el_set(el, EL_EDITOR, "emacs");
-				el_set(el, EL_PROMPT, lpc_prompt);
-				el_set(el, EL_SIGNAL, 1);
-				el_source(el, NULL);
-				/*
-				 * EditLine init may call 'cgetset()' to set a
-				 * capability-db meant for termcap (eg: to set
-				 * terminal type 'xterm').  Reset that now, or
-				 * that same db-information will be used for
-				 * printcap (giving us an "xterm" printer, with
-				 * all kinds of invalid capabilities...).
-				 */
-				cgetset(NULL);
-			}
+			/*
+			 * EditLine init may call 'cgetset()' to set a
+			 * capability-db meant for termcap (eg: to set
+			 * terminal type 'xterm').  Reset that now, or
+			 * that same db-information will be used for
+			 * printcap (giving us an "xterm" printer, with
+			 * all kinds of invalid capabilities...).
+			 */
+			cgetset(NULL);
 			if ((bp = el_gets(el, &num)) == NULL || num == 0)
 				quit(0, NULL);
 
--- lpc.0.patch ends here ---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Tue Feb 15 09:42:18 GMT 2005 
Responsible-Changed-Why:  
I'll handle this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77462 
State-Changed-From-To: open->patched 
State-Changed-By: delphij 
State-Changed-When: Tue Feb 15 10:23:23 GMT 2005 
State-Changed-Why:  
A different patch applied against -HEAD.  I think it's equivalent since 
el_parse is the only consumer of el.  MFC Reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77462 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Tue Feb 22 02:57:02 GMT 2005 
State-Changed-Why:  
Fixed in 5-STABLE as well.  Thanks for your submission! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77462 
>Unformatted:
