unhide (part #1)

In the Linux package unhide, which is rootkit detection software.

// Temporary string for output
char scratch[1000] ;
char cmdcont[1000] ;


               size_t length ;
               char myexe[512] ;

//               printf("%s\n",myexe);

               length = readlink(myexe, cmdcont, 1000) ;

This use of readlink() is in a few places in the code. The trouble is that PATH_MAX isn't 1000.

# getconf -a|grep PATH_MAX
PATH_MAX                           4096
_POSIX_PATH_MAX                    4096

This probably leads to a rootkit bypass for unhide.


Popular posts from this blog

C++ Memory Corruption (std::vector) - part 2

Pointer Compression in V8

Linux Kernel Stack Smashing