125172 – /sbin/init buffer overrun in argv[0]

Bug 125172 - /sbin/init buffer overrun in argv[0]

Summary: /sbin/init buffer overrun in argv[0]

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sysvinit
Sub Component:
Version:	2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bill Nottingham
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	ReadOnlyFS
TreeView+	depends on / blocked

Reported:	2004-06-03 12:46 UTC by Alexander Larsson
Modified:	2014-03-17 02:45 UTC (History)
CC List:	1 user (show)
Fixed In Version:	2.85-28
Clone Of:
Environment:
Last Closed:	2004-06-03 14:47:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
don't overflow argv[0] (838 bytes, patch) 2004-06-03 12:49 UTC, Alexander Larsson	no flags	Details \| Diff
View All

Description Alexander Larsson 2004-06-03 12:46:03 UTC

When overwriting argv[0] to change the process title, init is
overflowing the buffer by one byte. This was causing it to overwrite
the environment, making children of init loose the environment
variables form the kernel.

I'm attaching a patch that fixes the overflow for me, but I'd like to
point out that maxproclen is used in a way that also might be broken.
The comment says that its supposed to count the length of argv[0], but
the length of any arguments are also added to it, and then a buffer of
that size starting from argv[0] is zeroed. Is it really guaranteed
that the arguments passed in argv[] are consecutive in memory? I'm not
sure.

Comment 1 Alexander Larsson 2004-06-03 12:49:41 UTC

Created attachment 100824 [details]
don't overflow argv[0]

Comment 2 Bill Nottingham 2004-06-03 14:47:41 UTC

Added in 2.85-28, thanks!

Comment 3 David Lawrence 2007-06-22 02:18:16 UTC

Package name is now sysvinit in latest Fedora.

Note You need to log in before you can comment on or make changes to this bug.