Date: Thu, 14 Apr 2016 21:01:50 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 208807] DoS in gsstest Message-ID: <bug-208807-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208807 Bug ID: 208807 Summary: DoS in gsstest Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org `gsstest` function from `sys/kgssapi/gsstest.c` performs `malloc` with an unlimited, user controlled, `size_t` value, and the `M_WAITOK` flag. Passing large values of `input_token.length` through the userland `args` would resu= lt in panic on systems where the `gsstest` kernel module is running. sys/kgssapi/gsstest.c: static int gsstest(struct thread *td, struct gsstest_args *uap) { int error; switch (uap->a_op) { case 1: return (gsstest_1(td)); case 2: { struct gsstest_2_args args; struct gsstest_2_res res; gss_buffer_desc input_token, output_token; OM_uint32 junk; error =3D copyin(uap->a_args, &args, sizeof(args)); if (error) return (error); input_token.length =3D args.input_token.length; input_token.value =3D malloc(input_token.length, M_GSSAPI, M_WAITOK); ... sys/kgssapi/gssapi.h: typedef struct gss_buffer_desc_struct { size_t length; void *value; } gss_buffer_desc, *gss_buffer_t; After copying the arguments from userland, the length should be checked aga= inst an upper limit. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-208807-8>