From venglin@lagoon.freebsd.org.pl Sun May  2 13:33:08 1999
Return-Path: <venglin@lagoon.freebsd.org.pl>
Received: from lagoon.freebsd.org.pl (lagoon.freebsd.org.pl [194.92.16.30])
	by hub.freebsd.org (Postfix) with SMTP id E791414CE6
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  2 May 1999 13:33:02 -0700 (PDT)
	(envelope-from venglin@lagoon.freebsd.org.pl)
Received: (qmail 4114 invoked by uid 1001); 2 May 1999 20:32:58 -0000
Message-Id: <19990502203258.4113.qmail@lagoon.freebsd.org.pl>
Date: 2 May 1999 20:32:58 -0000
From: venglin@lagoon.freebsd.org.pl
Reply-To: venglin@lagoon.freebsd.org.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: mkdir() and chdir() doesn't check argument length
X-Send-Pr-Version: 3.2

>Number:         11454
>Category:       i386
>Synopsis:       mkdir() and chdir() doesn't check argument length
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May  2 13:40:01 PDT 1999
>Closed-Date:    Fri Apr 13 10:38:38 PDT 2001
>Last-Modified:  Fri Apr 13 10:39:32 PDT 2001
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 3.1-STABLE i386
>Organization:
Unia Lubelska High School, Lublin, Poland
>Environment:

FreeBSD lagoon.freebsd.org.pl 3.1-STABLE FreeBSD 3.1-STABLE #0: Sun Apr 11 17:11:46 CEST 1999     venglin@lagoon.freebsd.org.pl:/usr/src/sys/compile/LAGOON  i386

and my home machine:

FreeBSD venglin.gadaczka.org 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Mon Apr 19 22:11:21 CEST 1999     venglin@venglin.gadaczka.org:/usr/src/sys/compile/GADACZKA  i386

>Description:

  Chdir() and mkdir() doesn't check argument length, so it's possible
to create an extremly deep directory structure, on which most system
commands won't work.

  Example:

lagoon:venglin:/tmp/jc> rm -r example
rm: ex19/e name too long
rm: ex19/rectory not empty
rm: ex19/irectory not empty
rm: ex19/Directory not empty
rm: ex19: Directory not empty

lagoon:venglin:/tmp/jc> ls -lR example > /dev/null
ls: No such file or directory
ls: No such file or directory

Probably there is possible to compromise security of /etc/periodic
shell scripts (they use /usr/bin/find):

lagoon:venglin:/tmp/jc> find example > /dev/null
Segmentation fault (core dumped)

>How-To-Repeat:

  Create big directory structure (try with different directory names):

#include <stdio.h>
#include <errno.h>
#include <sys/stat.h>
#include <strings.h>

#define DUMP 0x41

main(int argc, char *argv[]) {

        char buf[255];
        int i = 0;

        if (argc < 3) { fprintf(stderr, "usage: %s <dir> <depth>\n", argv[0]); exit(1); }

        if(chdir(argv[1])) { fprintf(stderr, "error in chdir(): %s\n", strerror(errno)); exit(1); }

        memset(buf, DUMP, 255);
        for(i=0;i<(atoi(argv[2]))-1;i++) {
          if(mkdir(buf, (S_IRWXU | S_IRWXG | S_IRWXO))) { fprintf(stderr, "error in mkdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
          if(chdir(buf)) { fprintf(stderr, "error in chdir() after %d iterations: %s\n", i, strerror(errno)); exit(1); }
        }

        exit(0);
}

>Fix:
	
  Unknown.


>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@FreeBSD.ORG, venglin@lagoon.freebsd.org.pl
Cc:  
Subject: Re: i386/11454: mkdir() and chdir() doesn't check argument length
Date: Mon, 3 May 1999 08:07:10 +1000

 >>Description:
 >
 >  Chdir() and mkdir() doesn't check argument length, so it's possible
 >to create an extremly deep directory structure, on which most system
 >commands won't work.
 
 chdir() and mkdir() work correctly.  They can't reasonably check the
 length of the path to the current directory, and POSIX.1 doesn't
 permit them to fail because the current directory is deep.
 
 The bugs are in the system commands.  In particular, POSIX.2 specifies
 that `find' and `rm -r' shall work for arbitarily deep directories
 (provided directory names longer than PATH_MAX aren't specified on the
 command line), and that `ls -R' should handle arbitrarily deep directories
 (it shouldn't fail unless it runs out of memory for keeping track of
 untraversed directories).
 
 `find' seems to traverse deep directories correctly.  However, the
 following don't work:
 1) passing long names found by `find' to other utilities.
 2) `find . -type d -delete'.  It dumps core in deep directories.
 
 Bruce
 

From: "Przemyslaw Frasunek" <venglin@lagoon.freebsd.org.pl>
To: bde@zeta.org.au
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: i386/11454: mkdir() and chdir() doesn't check argument lengt
Date: Tue, 4 May 1999 20:01:44 CEST

 >  >>Description:
 >  >  Chdir() and mkdir() doesn't check argument length, so it's possible
 >  >to create an extremly deep directory structure, on which most system
 >  >commands won't work.
 >  chdir() and mkdir() work correctly.  They can't reasonably check the
 >  length of the path to the current directory, and POSIX.1 doesn't
 >  permit them to fail because the current directory is deep.
 
 Ok, but mkdir() and chdir() manual tells:
 
 ERRORS
      Mkdir() (chdir()) will fail and no directory will be created if:
 [...]
      [ENAMETOOLONG]
                  A component of a pathname exceeded 255 characters, or
                  an en- tire path name exceeded 1023 characters.
 
 But it doesn't fail. 
 
 >  The bugs are in the system commands.  In particular, POSIX.2 specifies
 >  that `find' and `rm -r' shall work for arbitarily deep directories
 >  (provided directory names longer than PATH_MAX aren't specified on the
 >  command line), and that `ls -R' should handle arbitrarily deep directories
 >  (it shouldn't fail unless it runs out of memory for keeping track of
 >  untraversed directories).
 
 So theoretically I can create directory, on which _all_ system 
 commands will fail, because they doesn't have enough of memory?
 
 >  `find' seems to traverse deep directories correctly.  However, the
 >  following don't work:
 >  1) passing long names found by `find' to other utilities.
 
 Overflow occurs, when find tries to print out a long pathname by 
 invoking puts(). So, I think (but I'm not sure) that it could be 
 dangerous and should be fixed...
 
 --
 * Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 * 
 * Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
 

From: venglin@freebsd.lublin.pl
To: freebsd-gnats-submit@FreeBSD.org, venglin@lagoon.freebsd.org.pl
Cc:  
Subject: Re: i386/11454: mkdir() and chdir() doesn't chec
Date: 13 Apr 2001 14:06:09 -0000

 Fixed almost two years ago. Close.
 
State-Changed-From-To: open->closed 
State-Changed-By: iedowse 
State-Changed-When: Fri Apr 13 10:38:38 PDT 2001 
State-Changed-Why:  
Closed at originator's request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=11454 
>Unformatted:
