From owner-freebsd-hackers@FreeBSD.ORG Tue Oct 12 19:07:26 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E05F016A4CE for ; Tue, 12 Oct 2004 19:07:26 +0000 (GMT) Received: from jive.SoftHome.net (jive.SoftHome.net [66.54.152.27]) by mx1.FreeBSD.org (Postfix) with SMTP id 6F12043D1D for ; Tue, 12 Oct 2004 19:07:26 +0000 (GMT) (envelope-from shawnwebb@softhome.net) Received: (qmail 1188 invoked by uid 417); 12 Oct 2004 18:56:10 -0000 Received: from charleston-.softhome.net (HELO softhome.net) (172.16.2.12) by shunt-smtp-out-0 with SMTP; 12 Oct 2004 18:56:10 -0000 Received: from dialup-4.228.195.28.Dial1.Denver1.Level3.net ([4.228.195.28]) (AUTH: PLAIN shawnwebb@softhome.net) by softhome.net with esmtp; Tue, 12 Oct 2004 12:56:08 -0600 From: Shawn Webb To: freebsd-hackers@freebsd.org Date: Tue, 12 Oct 2004 18:54:45 -0600 User-Agent: KMail/1.7 MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_VzHbB270BbWZQ08" Message-Id: <200410121854.45986.shawnwebb@softhome.net> X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: malloc calls and ioctl calls to soundcard cause segfault X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Oct 2004 19:07:27 -0000 --Boundary-00=_VzHbB270BbWZQ08 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline I have stumbled upon a local DoS (non-kernel) while writing a VoIP app for FreeBSD. The DoS exists when two ioctl calls (or less/more?) are followed by a malloc call to malloc a pointer in global scope which is then followed by two more (or less/more?) ioctl calls. The result is a stack smash, and upon return of the function, the program segfaults. gdb output of the core dump: Core was generated by `a.out'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libc.so.5...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.5 Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done. Loaded symbols for /libexec/ld-elf.so.1 #0 0x00000080 in ?? () I am curently running: FreeBSD 5.3-BETA7 FreeBSD 5.3-BETA7 #2: Sun Oct 10 21:05:53 MDT 2004 shawn@:/usr/obj/usr/src/sys/LATERALUS i386 I have confirmed the same results on multiple FreeBSD machines, each different versions spanning 4.10-RELEASE to 5.2.1-RELEASE (and my 5.3-BETA7 machine). Shawn Webb http://retoros.org:81/ (attached is the source code to the segfaulting application) --Boundary-00=_VzHbB270BbWZQ08--