this ticket is to track progress for a cfengine audit. sorry for putting it here but I can't file restricted bugs under Audit yet :)
logic error causing heap corruption in cfexecd. This is non-exploitable segfault bug which is triggered by code run in response to parsing the -g flag to cfexecd. The result is a fairly quick segfault (couple of seconds normally, depending whether it has to wait for locks or not). cfexecd.c:310: nargv = malloc(sizeof(char *) * argc+2); should be: nargv = malloc(sizeof(char *) * (argc+2)); This request is smaller than intended so when the data is written it corrupts the heap. As the stuff written to the heap is char * to argv elements, and not the user-entered data itself, I don't beleive this is exploitable as there is no way to control what data is written to the chunk boundary. The results of the bug can be seen by doing: ./cfexecd -g -- -- -- -- -- -- -- -- -- which segfaults on a calloc call because the heap is screwed. The author has been notified and I beleive hes fixed in his code. There is no security concern.
memory leak in cfenvd.c cfenvd.c:2038-ish malloc's before an if and only free's in one of the branches which results in a memory leak. The patch below fixes it. --- cfengine-2.1.13/src/cfenvd.c 2004-09-21 09:08:53.000000000 +0100 +++ cfengine-2.1.13.audit/src/cfenvd.c 2005-02-17 14:06:35.989978144 +0000 @@ -2038,10 +2038,9 @@ } } - p = (double *) malloc((total+1)*sizeof(double)); - if (total > min_signal_diversity) { + p = (double *) malloc((total+1)*sizeof(double)); for (i = 0,ip = addresses; ip != NULL; i++,ip=ip->next) { p[i] = ((double)(ip->counter))/((double)total); This is a small leak an unlikely to be a big deal. I've sent this patch to the author.
further leaks in cfexecd.c, it doesn't clean up properly on shutdown. this are minor issues and shouldn't affect the system, its just some missing free() on shutdown. One is easily fixed, the others are more complicated and I've left for the author to sort. diff -ru cfengine-2.1.13/src/nameinfo.c cfengine-2.1.13.audit/src/nameinfo.c --- cfengine-2.1.13/src/nameinfo.c 2005-01-20 18:31:10.000000000 +0000 +++ cfengine-2.1.13.audit/src/nameinfo.c 2005-02-17 14:42:43.781423752 +0000 @@ -150,7 +150,8 @@ AddClassToHeap(CanonifyName(sp)); - +free(sp); + if ((tloc = time((time_t *)NULL)) == -1) { printf("Couldn't read system clock\n"); There is a global named VARCH which is strdup'd to in nameinfo.c:257, this is never free'd. It also seems that the lists setup by ArmClasses aren't torn down properly, but its hard to know where this should be done. They are setup at cfenvd.c:801
a .bss overflow via the HOME environment variable which is strcpy'd to a variable without length checks. This can cause a segfault but I can't see a way to exploit it (not that theres any point as its not setuid, just interests me). Someone with more knowledge might be able to turn this into a leet "get a shell with the same privileges I already have" exploit. $ export HOME=$(perl -e 'print ("x" x 47388)') $ ./cfenvd cfenvd: Will not create directories for a relative filename (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cfenvd: Will not create directories for a relative filename (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cfenvd: Couldn't open average database xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/.cfagent/test/state/test/state/cf_incoming.netbiosns/state/cf_outgoing.netbiosns/state/cf_incoming.netbiosdgm/state/cf_outgoing.netbiosdgm/state/cf_incoming.netbiosssn/state/cf_outgoing.netbiosssn/state/cf_incoming.irc/state/cf_learning.db cfenvd: db_open: File name too long Segmentation fault $
just for the record all this has been sent to the author.
Any update on this?
closing now. lost all interest.