Linux kernel WTF



  • From the menuconfig program of the Linux 2.0.40 kernel:

        const char *title = NULL;
    
    ... title gets pointed to something somewhere in here ...
    
        title[atoi(argv[offset+4])-4] = 0;
    


  • @Carnildo said:

    the Linux 2.0.40 kernel:

     

    Wow. That's a trip down memory lane... 



  •  I've never had menuconfig segfault on me, so apparently it works. Yeah, code is overly complex and a bit unreadable, but that applies to a lot of old open-source C code.

    I also wouldn't consider menuconfig as a part of the kernel.



  • Unless there's some validation of the offset in the parameters list and limit check on the INT value of that parameter before this line it seems like you could pass in a parameter value that would unintentionally overwrite memory not related to the menu.  Pretty common looking C code, but still scary.



  • @jpa said:

     I've never had menuconfig segfault on me, so apparently it works. Yeah, code is overly complex and a bit unreadable, but that applies to a lot of old open-source C code.

    I also wouldn't consider menuconfig as a part of the kernel.

    The compiler isn't doing its job if you think this works.  The definition is "const char *title," which means title is a pointer to a const string.  The assignment to title[offset] shouldn't be allowed at all.

    My compiler definitely objects: \const_test.cpp(12): error C2166: l-value specifies const object

    So, tell me again how this works?



  • @mrprogguy said:

    So, tell me again how this works?

    It works via a bug in an older version of GCC. To get it to compile under a current version, you need to modify the code, unless there's an option to turn the bugfix off that I haven't seen.



  • @jreasons68 said:

    Unless there's some validation of the offset in the parameters list and limit check on the INT value of that parameter before this line it seems like you could pass in a parameter value that would unintentionally overwrite memory not related to the menu.  Pretty common looking C code, but still scary.

    If someone is in a position to recompile your kernel for you, you're pwned pretty hard anyway, regardless of an overflow in a (non-suid) build tool that's part of the process!



  • @tgape said:

    @mrprogguy said:
    So, tell me again how this works?

    It works via a bug in an older version of GCC. To get it to compile under a current version, you need to modify the code, unless there's an option to turn the bugfix off that I haven't seen.

    -Dconst= I think should do it :).


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.