|
Sign extension bugsComputer Emergency Response Team (CERTsm) Advisory CA-96.22 1. Vulnerability in yy_string_get()There is a variable declaration error in the "yy_string_get()" function in the "parse.y" module of the "bash" source code. This function is responsible for parsing the user-provided command line into separate tokens (commands, special characters, arguments, etc.). The error involves the variable "string", which has been declared to be of type "char *". The "string" variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type "int". On systems/compilers where the "char" type defaults to "signed char" this value will be sign-extended when it is assigned to the "int" variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value (-1) being assigned to the integer. However, (-1) is used in other parts of the parser to indicate the end of a command. Thus, the character code 255 decimal (377 octal) will serve as an unintended command separator for commands given to bash via the "-c" option. For example, (where "\377" represents the single character with value 255 decimal) will execute two commands, "ls" and "who". |
Web Author: Ian! D. Allen idallen@idallen.ca Updated: 2003-01-19 05:50 Support free and non-commercial Internet. This site works best in Any Browser, a campaign for non-specific WWW. This work is licensed under a Creative Commons License. |