Red Hat Bugzilla – Bug 86164
Repeatable lockdev segfault (NULL pointer?)
Last modified: 2007-04-18 12:52:01 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021202
Description of problem:
I guess this isn't exploitable at all, but it is a setgid binary....
[jonny@pichu jonny]$ lockdev -l
[jonny@pichu jonny]$ lockdev -u
[jonny@pichu jonny]$ gdb `which lockdev`
GNU gdb Red Hat Linux (5.2.1-4)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)...
(gdb) set args -l
Starting program: /usr/sbin/lockdev -l
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x4207a893 in strrchr () from /lib/i686/libc.so.6
#0 0x4207a893 in strrchr () from /lib/i686/libc.so.6
#1 0x00000000 in ?? ()
The program is running. Exit anyway? (y or n) y
[jonny@pichu jonny]$ ls -l `which lockdev`
-rwxr-sr-x 1 root lock 12325 Jun 24 2002 /usr/sbin/lockdev
[jonny@pichu jonny]$ id
uid=500(jonny) gid=500(jonny) groups=500(jonny),13(news)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. run lockdev -u
2. or run lockdev -l
3. with no arguments
Actual Results: SEGV
Expected Results: print help!?
This was first reported to the full-disclosure list on Nov 22 2002. This is not
exploitable since there is no input to the program (other than the device name
but the segfault only occurs when this is missing). However we've fixed the bug
in lockdev-1.0.0-21, but will not be issuing an errata for older releases.
Thanks for reporting this issue.