Return to BSD News archive
Xref: sserve comp.os.386bsd.questions:11949 comp.os.386bsd.development:2358 comp.os.386bsd.misc:2941
Newsgroups: comp.os.386bsd.questions,comp.os.386bsd.development,comp.os.386bsd.misc
Path: sserve!newshost.anu.edu.au!munnari.oz.au!spool.mu.edu!howland.reston.ans.net!usc!elroy.jpl.nasa.gov!decwrl!netcomsv!netcom.com!jmonroy
From: jmonroy@netcom.com (Jesus Monroy Jr)
Subject: Re: Why does FreeBSD 1.1.5 say gets() is unsafe?
Message-ID: <jmonroyCtsv69.F79@netcom.com>
Followup-To: comp.os.386bsd.questions,comp.os.386bsd.development,comp.os.386bsd.misc
Organization: NETCOM On-line Communication Services (408 261-4700 guest)
X-Newsreader: TIN [version 1.2 PL1]
References: <30lrf3$2ii@acmez.gatech.edu> <ASAMI.94Jul25151654@forgery.cs.berkeley.edu> <311m2e$o33@agate.berkeley.edu> <311uec$4cm@grapevine.lcs.mit.edu> <1994Jul31.052235.13416@cs.brown.edu>
Date: Sun, 31 Jul 1994 10:15:44 GMT
Lines: 44
Mark Weaver (mhw@cs.brown.edu) wrote:
: In article <311uec$4cm@grapevine.lcs.mit.edu>,
: Garrett Wollman <wollman@ginger.lcs.mit.edu> wrote:
: >I wonder what it would take to convince gets() to execute `system("rm
: >-rf /")'...
: First let me say that a program which uses gets() is not inherently
: insecure if it only reads from a secure source (a trusted file or
: output from another trusted program).
: However, if it reads from an insecure source, and gets() reads into
: a local character array, it can be used to carefully overwrite the
: stack, so that when the function returns, it actually returns to
: the start of the system() routine in libc with a pointer to "rm
: -rf /" at the appropriate place on the stack. The pointer would
: be to a place slightly earlier in the stack which would also be
: overwritten.
:
: This may seem infeasible, but it really is quite doable. All you
: need to know is the load address of system() and the address of
: the stack pointer when the given routine is called.
:
In any system it may be said that somethings maybe secure,
and somegthings may be insecure, but the question will
persist "is a core dump a good thing?".
In the context of what I might describe as time, I see
the passing of a moment that we describe as time.
Paradox!?!
Tell me that green is green, so that I might describe to you
the paradox of the "color".
Tell me that honesty is the same as truth, so that we both
might see the difference between light and dark.
Tell me that a "core dump" is a good thing.
--
Jesus Monroy Jr jmonroy@netcom.com
Zebra Research
/386BSD/device-drivers /fd /qic /clock /documentation
___________________________________________________________________________