Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 01 Apr 2016 11:36:49 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 206761] Kernel stack overflow in sysctl handler for kern.binmisc.add
Message-ID:  <bug-206761-8-pbkkE20U90@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-206761-8@https.bugs.freebsd.org/bugzilla/>
References:  <bug-206761-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206761

--- Comment #14 from CTurt <cturt@hardenedbsd.org> ---
I've taken another look at the code and found another potential bug. I'm not
certain if this is a bug yet, but I'd also like to bring the following code
from `imgact_binmisc_add_entry` to attention:

        /* Make sure we don't have any invalid #'s. */
        p =3D xbe->xbe_interpreter;
        while (1) {
                p =3D strchr(p, '#');
                if (!p)
                        break;

                p++;
                switch(*p) {
                case ISM_POUND:
                        /* "##" */
                        p++;
                        break;

                case ISM_OLD_ARGV0:
                        /* "#a" */
                        p++;
                        break;

                case 0:
                default:
                        /* Anything besides the above is invalid. */
                        return (EINVAL);
                }
        }

>From the comment, and usage of a loop, it seems like this code should be
checking that every '#' character in the string follows either another '#' =
or
an 'a' character, however there is no way that this loop will ever be execu=
ted
more than once since all conditions lead to `break` or `return`. In its cur=
rent
form the code will only validate the first '#' character.

To instead check that _every_ '#' character follows a valid character (and =
not
just the first '#' character), the `case`s should `continue` the loop as be=
low:

        /* Make sure we don't have any invalid #'s. */
        p =3D xbe->xbe_interpreter;
        while (1) {
                p =3D strchr(p, '#');
                if (!p)
                        break;

                p++;
                switch(*p) {
                case ISM_POUND:
                        /* "##" */
                        p++;
                        continue;

                case ISM_OLD_ARGV0:
                        /* "#a" */
                        p++;
                        continue;

                case 0:
                default:
                        /* Anything besides the above is invalid. */
                        return (EINVAL);
                }
        }

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206761-8-pbkkE20U90>