From owner-freebsd-bugs@FreeBSD.ORG  Mon Jul 18 19:30:13 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C555A16A41C
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 18 Jul 2005 19:30:13 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 285BD43D48
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 18 Jul 2005 19:30:13 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6IJUCNw069440
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 18 Jul 2005 19:30:13 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6IJUCr3069439;
	Mon, 18 Jul 2005 19:30:12 GMT (envelope-from gnats)
Resent-Date: Mon, 18 Jul 2005 19:30:12 GMT
Resent-Message-Id: <200507181930.j6IJUCr3069439@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Harry Coin <harrycoin@qconline.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2AEC016A41C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 18 Jul 2005 19:21:40 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EB22B43D45
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 18 Jul 2005 19:21:39 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j6IJLdw2026341
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Jul 2005 19:21:39 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j6IJLdsj026340;
	Mon, 18 Jul 2005 19:21:39 GMT (envelope-from nobody)
Message-Id: <200507181921.j6IJLdsj026340@www.freebsd.org>
Date: Mon, 18 Jul 2005 19:21:39 GMT
From: Harry Coin <harrycoin@qconline.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: misc/83687: no bounds check in kern_environment routine setenv,
	system crashes
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2005 19:30:13 -0000


>Number:         83687
>Category:       misc
>Synopsis:       no bounds check in kern_environment routine setenv, system crashes
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 18 19:30:12 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Harry Coin
>Release:        5.4
>Organization:
>Environment:
FreeBSD sueofficerm 5.4-RELEASE FreeBSD 5.4-RELEASE #23: Mon Jul 18 13:34:01 CDT 2005     root@server1.quietfountain.com:/usr/obj/usr/src/sys/DISKLESS  i386

>Description:
kernel kern_environment routine setenv allows dynamic additions and changes to the kernel environment (mostly hints) settings.

When setenv can't find the environment variable to set to the passed in value, it allocates a new one, gives it the passed in name, then sets it to the value.

The problem is there is no bounds checking when it is time to add a variable.  Repeated adds (which can be called from userland routine kenv) will just corrupt memory past the end of the array and eventually crash the system.

bugfix below.
>How-To-Repeat:

just use kenv to add new variables until the system dies.  Somewhere after 512 total variables.

bugfix below.
>Fix:
--- /usr/src/sys/kern/kern_environment.c	Thu Mar 10 11:09:16 2005
+++ /mnt/server1/usr/src/sys/kern/kern_environment.c	Mon Jul 18 13:57:01 2005
@@ -349,6 +349,11 @@
 		/* We add the option if it wasn't found */
 		for (i = 0; (cp = kenvp[i]) != NULL; i++)
 			;
+		if (i>=KENV_SIZE-1) {  // prevent kernel memory corruption due to runaway growth
+		  free(buf,M_KENV); 
+		  sx_xunlock(&kenv_lock);
+		  return -1;
+		}
 		kenvp[i] = buf;
 		kenvp[i + 1] = NULL;
 		sx_xunlock(&kenv_lock);

>Release-Note:
>Audit-Trail:
>Unformatted: