On Wed, Jul 22, 2015 at 04:02:22PM +0100, Daniel Thompson wrote: > 2015-07-22 5:19 GMT+02:00 Rich Felker <dal...@libc.org>: > >On Sun, Jul 19, 2015 at 11:07:13PM +0200, Denys Vlasenko wrote: > >>I would rather keep it. > >> > >>What is the "most horrible" thing which can happen here? > > > >Arbitrary code execution due to stack overflow. Does this really need > >a PoC? alloca is _always_ unsafe unless the argument is bounded and > >tiny. > > It would interesting to know if ash ever automatically runs its > tokenizer over environment variables. > > If the tokenizer can only run on the command stream then there's not > much to be gained from overflowing the stack since anyone who can > inject an evil token in to command stream already has shell access.
This is not the case. A counterexample is eval acting on a string constructed from untrusted input that was already validated to be safe (e.g. to consist entirely of alphanumeric characters). Rich _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox