From owner-freebsd-bugs@FreeBSD.ORG Tue Sep 15 21:20:09 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 232AB1065693 for ; Tue, 15 Sep 2009 21:20:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F35F08FC18 for ; Tue, 15 Sep 2009 21:20:08 +0000 (UTC) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8FLK8ET077463 for ; Tue, 15 Sep 2009 21:20:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8FLK86f077462; Tue, 15 Sep 2009 21:20:08 GMT (envelope-from gnats) Resent-Date: Tue, 15 Sep 2009 21:20:08 GMT Resent-Message-Id: <200909152120.n8FLK86f077462@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alexander Best Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7152A1065676 for ; Tue, 15 Sep 2009 21:13:25 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 5EEB38FC1E for ; Tue, 15 Sep 2009 21:13:25 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n8FLDO7s050920 for ; Tue, 15 Sep 2009 21:13:24 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n8FLDOuw050919; Tue, 15 Sep 2009 21:13:24 GMT (envelope-from nobody) Message-Id: <200909152113.n8FLDOuw050919@www.freebsd.org> Date: Tue, 15 Sep 2009 21:13:24 GMT From: Alexander Best To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/138860: [linux] linux_socketcall() causing buffer overflow X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 21:20:09 -0000 >Number: 138860 >Category: kern >Synopsis: [linux] linux_socketcall() causing buffer overflow >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 15 21:20:08 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Alexander Best >Release: 9.0-CURRENT >Organization: >Environment: FreeBSD otaku 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r197043: Sat Sep 12 01:07:56 CEST 2009 root@otaku:/usr/obj/usr/src/sys/ARUNDEL i386 >Description: the linux test project (ltp) is a set of small scripts and binaries to test if an environment meets all the criteria necessary to be 100% compatible with linux. running the ltp scripts revealed a buffer overflow caused by linux_socketcall() which emulates linux socketcall() syscall. the buffer overflow gets reported multiple times during a full ltp run, because several tests use the linux socketcall() syscall and thus linux_socketcall(). one of the tests causing the buffer overflow is testcases/kernel/syscalls/bind/bind01. i've attached the source for bind01. here's the overflow report by REDZONE which gets reported when the `bind01` binary is being run: REDZONE: Buffer overflow detected. 9 bytes corrupted after 0xca667283 (3 bytes allocated). Allocation backtrace: #0 0xc070cc5a at redzone_setup+0x3a #1 0xc05b9cf3 at malloc+0x1c3 #2 0xc0af993c at linux_getsockaddr+0x3c #3 0xc0afa51e at linux_socketcall+0x73e #4 0xc0760ea6 at syscall+0x2a6 #5 0xc0744800 at Xint0x80_syscall+0x20 Free backtrace: #0 0xc070cbea at redzone_check+0x17a #1 0xc05b99ad at free+0x5d #2 0xc0afa556 at linux_socketcall+0x776 #3 0xc0760ea6 at syscall+0x2a6 #4 0xc0744800 at Xint0x80_syscall+0x20 i've marked this PR as high priority because the buffer overflow could pose a security threat and be used to execute harmful code. cheers. alex [1] http://lists.freebsd.org/pipermail/freebsd-emulation/2009-September/006877.html >How-To-Repeat: cd /usr/ports/emulators/linux_dist-gentoo-stage3 && make install cd /usr/local/gentoo-stage3 cvs -d:pserver:anonymous@ltp.cvs.sourceforge.net:/cvsroot/ltp login cvs -z3 -d:pserver:anonymous@ltp.cvs.sourceforge.net:/cvsroot/ltp co ltp chroot /usr/local/gentoo-stage3 bash cd ltp && ./configure && make all install cd testcases/kernel/syscalls/bind ./bind01 >Fix: problem probably lies in /usr/src/sys/compat/linux/linux_socket.c Patch attached with submission follows: /* * * Copyright (c) International Business Machines Corp., 2001 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See * the GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * Test Name: bind01 * * Test Description: * Verify that bind() returns the proper errno for various failure cases * * Usage: * bind01 [-c n] [-e] [-i n] [-I x] [-P x] [-t] * where, -c n : Run n copies concurrently. * -e : Turn on errno logging. * -i n : Execute test n times. * -I x : Execute test for x seconds. * -P x : Pause for x seconds between iterations. * -t : Turn on syscall timing. * * HISTORY * 07/2001 Ported by Wayne Boyer * * RESTRICTIONS: * None. * */ #include #include #include #include #include #include #include #include #include "test.h" #include "usctest.h" char *TCID = "bind01"; /* Test program identifier. */ int testno; int s; /* socket descriptor */ struct sockaddr_in sin1, sin2, sin3; struct sockaddr_un sun1; void setup(void), setup0(void), setup1(void), setup2(void), cleanup(void), cleanup0(void), cleanup1(void); struct test_case_t { /* test case structure */ int domain; /* PF_INET, PF_UNIX, ... */ int type; /* SOCK_STREAM, SOCK_DGRAM ... */ int proto; /* protocol number (usually 0 = default) */ struct sockaddr *sockaddr; /* socket address buffer */ int salen; /* bind's 3rd argument */ int retval; /* syscall return value */ int experrno; /* expected errno */ void (*setup) (void); void (*cleanup) (void); char *desc; } tdat[] = { #ifndef UCLINUX /* Skip since uClinux does not implement memory protection */ { PF_INET, SOCK_STREAM, 0, (struct sockaddr *)-1, sizeof(struct sockaddr_in), -1, EFAULT, setup0, cleanup0, "invalid sockaddr"}, #endif { PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin1, 3, -1, EINVAL, setup0, cleanup0, "invalid salen"}, { 0, 0, 0, (struct sockaddr *)&sin1, sizeof(sin1), -1, ENOTSOCK, setup1, cleanup1, "invalid socket"} , { PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin2, sizeof(sin2), 0, 0, setup0, cleanup0, "INADDR_ANYPORT"} , { PF_UNIX, SOCK_STREAM, 0, (struct sockaddr *)&sun1, sizeof(sun1), -1, EADDRINUSE, setup0, cleanup0, "UNIX-domain of current directory"} , { PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin3, sizeof(sin3), -1, EADDRNOTAVAIL, setup0, cleanup0, "non-local address"} ,}; int TST_TOTAL = sizeof(tdat) / sizeof(tdat[0]); /* Total number of test cases. */ int exp_enos[] = { EFAULT, EINVAL, ENOTSOCK, EADDRINUSE, EADDRNOTAVAIL, 0 }; extern int Tst_count; int main(int argc, char *argv[]) { int lc; /* loop counter */ char *msg; /* message returned from parse_opts */ /* Parse standard options given to run the test. */ msg = parse_opts(argc, argv, (option_t *) NULL, NULL); if (msg != (char *)NULL) { tst_brkm(TBROK, 0, "OPTION PARSING ERROR - %s", msg); tst_exit(); } setup(); /* Check looping state if -i option given */ for (lc = 0; TEST_LOOPING(lc); ++lc) { Tst_count = 0; for (testno = 0; testno < TST_TOTAL; ++testno) { tdat[testno].setup(); TEST(bind (s, tdat[testno].sockaddr, tdat[testno].salen)); if (TEST_RETURN > 0) { TEST_RETURN = 0; } else { TEST_ERROR_LOG(TEST_ERRNO); } if (TEST_RETURN != tdat[testno].retval || (TEST_RETURN < 0 && TEST_ERRNO != tdat[testno].experrno)) { tst_resm(TFAIL, "%s ; returned" " %ld (expected %d), errno %d (expected" " %d)", tdat[testno].desc, TEST_RETURN, tdat[testno].retval, TEST_ERRNO, tdat[testno].experrno); } else { tst_resm(TPASS, "%s successful", tdat[testno].desc); } tdat[testno].cleanup(); } } cleanup(); return 0; } /* End main */ void setup(void) { /* set expected errnos for -e option */ TEST_EXP_ENOS(exp_enos); TEST_PAUSE; /* if -p option specified */ /* initialize sockaddr's */ sin1.sin_family = AF_INET; /* this port must be unused! */ sin1.sin_port = htons((getpid() % 32768) + 10000); sin1.sin_addr.s_addr = INADDR_ANY; sin2.sin_family = AF_INET; sin2.sin_port = 0; sin2.sin_addr.s_addr = INADDR_ANY; sin3.sin_family = AF_INET; sin3.sin_port = 0; /* assumes 10.255.254.253 is not a local interface address! */ sin3.sin_addr.s_addr = htonl(0x0AFFFEFD); sun1.sun_family = AF_UNIX; strncpy(sun1.sun_path, ".", sizeof(sun1.sun_path)); } void cleanup(void) { TEST_CLEANUP; tst_exit(); } void setup0(void) { s = socket(tdat[testno].domain, tdat[testno].type, tdat[testno].proto); printf("HIER!!!!\n"); if (s < 0) tst_brkm(TBROK|TERRNO, cleanup, "socket() failed for bind test %d", testno); } void cleanup0(void) { (void)close(s); } void setup1(void) { /* setup for the "not a socket" case */ if ((s = open("/dev/null", O_WRONLY)) == -1) tst_brkm(TBROK|TERRNO, cleanup, "open(/dev/null) failed"); } void cleanup1(void) { s = -1; } >Release-Note: >Audit-Trail: >Unformatted: