Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Jul 2005 01:26:20 -0400
From:      "Anish Mistry" <amistry@am-productions.biz>
To:        "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org>
Cc:        Harry Coin <harrycoin@qconline.com>
Subject:   kern/84033: kenvp table size not checked
Message-ID:  <1122269180.0@bigguy.am-productions.biz>
Resent-Message-ID: <200507250530.j6P5UAFF065608@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         84033
>Category:       kern
>Synopsis:       kenvp table size not checked
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 25 05:30:09 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Anish Mistry
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
AM Productions 
>Environment:


FreeBSD littleguy.am-productions.biz 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat Jul 23 17:27:32 EDT 2005     amistry@littleguy.am-productions.biz:/usr/obj/usr/src/sys/LITTLEGUY  i386



>Description:


In kern_environment.c the kernel enviroment table size isn't checked and you can overflow the KENV_SIZE table size.


>How-To-Repeat:


Run as root the test script with a large value range, which cause the system to panic. eg. ./test.sh 1 5555
The patch fixes the problem and limits the size of the table to KENV_SIZE-1 entries.


>Fix:


--- kern_environment.c.patch begins here ---
--- /sys/kern/kern_environment.c.orig	Sat Jul 23 16:43:32 2005
+++ /sys/kern/kern_environment.c	Sat Jul 23 16:46:28 2005
@@ -349,6 +349,11 @@
 		/* We add the option if it wasn't found */
 		for (i = 0; (cp = kenvp[i]) != NULL; i++)
 			;
+		if (i >= KENV_SIZE-1) {
+			sx_xunlock(&kenv_lock);
+			free(buf,M_KENV);
+			return (-1);
+		}
 		kenvp[i] = buf;
 		kenvp[i + 1] = NULL;
 		sx_xunlock(&kenv_lock);
--- kern_environment.c.patch ends here ---
--- test.sh begins here ---
#!/bin/sh
#
# 
START=$1
END=$2
COUNT=$START
while [ "$COUNT" -le "$END" ]
do
	kenv $COUNT="$COUNT"
	COUNT=`expr $COUNT + 1`
done
exit 0
--- test.sh ends here ---



>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1122269180.0>