Subject: bin/21048: systrace: Off-by-one bug
To: None <gnats-bugs@gnats.netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 04/07/2003 01:53:00
>Number:         21048
>Category:       bin
>Synopsis:       systrace: Off-by-one bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 06 16:54:00 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 1.6Q
>Organization:
>Environment:
NetBSD cyclonus 1.6Q NetBSD 1.6Q (STARSCREAM) #0: Sun Apr  6 00:39:54
CEST 2003  bin@cyclonus:/usr/obj/sys/arch/i386/compile/STARSCREAM i386

>Description:

systrace uses the definition of MAXLOGNAME to determine the
buffer size in /bin/systrace/intercept.h and /bin/systrace/systrace.c.
According to /usr/include/sys/param.h this definition seems to be
deprecated but the real problem is that LOGIN_NAME_MAX includes the
trailing NUL while MAXLOGNAME does not. Thus, strlcpy() prevents a
buffer overrun but it will truncate the username if it's long enough.

>How-To-Repeat:

# useradd -m abcdefghijklmnop
# su -l abcdefghijklmnop
% systrace -A /bin/ls
% systrace -a /bin/ls /usr

/var/log/messages:

Apr  7 01:13:51 cyclonus systrace: deny user: abcdefghijklmno, prog:
/bin/ls, pid: 21359(0)[0], policy: /bin/ls, filters: 19, syscall:
netbsd-fsread(5), filename: /usr/share/nls/nls.alias

Note the missing "p" at the end of username.

>Fix:
Bump the buffer size by (at least) one (use LOGIN_NAME_MAX?) and add
checks for the result value of strl.* and sn.* everywhere.

-- 
Christian

--C/:NtxbDwh3Ue=.z
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)

iD8DBQE+kL3m0KQix3oyIMcRAhHWAKDOXUga+Nih5/NoYGGXvx7hU9iHqQCfRnBr
yswl5J1Ok9NEsheE92rkPvY=
=QM8z
-----END PGP SIGNATURE-----

--C/:NtxbDwh3Ue=.z--
>Release-Note:
>Audit-Trail:
>Unformatted:
 --C/:NtxbDwh3Ue=.z
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit