From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021202 Description of problem: I guess this isn't exploitable at all, but it is a setgid binary.... [jonny@pichu jonny]$ lockdev -l Segmentation fault [jonny@pichu jonny]$ lockdev -u Segmentation fault [jonny@pichu jonny]$ [jonny@pichu jonny]$ gdb `which lockdev` GNU gdb Red Hat Linux (5.2.1-4) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)... (gdb) set args -l (gdb) r Starting program: /usr/sbin/lockdev -l (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x4207a893 in strrchr () from /lib/i686/libc.so.6 (gdb) bt #0 0x4207a893 in strrchr () from /lib/i686/libc.so.6 #1 0x00000000 in ?? () (gdb) quit The program is running. Exit anyway? (y or n) y [jonny@pichu jonny]$ [jonny@pichu jonny]$ ls -l `which lockdev` -rwxr-sr-x 1 root lock 12325 Jun 24 2002 /usr/sbin/lockdev [jonny@pichu jonny]$ [jonny@pichu jonny]$ id uid=500(jonny) gid=500(jonny) groups=500(jonny),13(news) [jonny@pichu jonny]$ Version-Release number of selected component (if applicable): lockdev-1.0.0-20 How reproducible: Always Steps to Reproduce: 1. run lockdev -u 2. or run lockdev -l 3. with no arguments Actual Results: SEGV Expected Results: print help!? Additional info:
This was first reported to the full-disclosure list on Nov 22 2002. This is not exploitable since there is no input to the program (other than the device name but the segfault only occurs when this is missing). However we've fixed the bug in lockdev-1.0.0-21, but will not be issuing an errata for older releases. Thanks for reporting this issue.