From owner-freebsd-bugs@FreeBSD.ORG Sun Jan 11 21:30:03 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AC271065675 for ; Sun, 11 Jan 2009 21:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 60E348FC1C for ; Sun, 11 Jan 2009 21:30:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0BLU3kj026666 for ; Sun, 11 Jan 2009 21:30:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0BLU3i1026663; Sun, 11 Jan 2009 21:30:03 GMT (envelope-from gnats) Resent-Date: Sun, 11 Jan 2009 21:30:03 GMT Resent-Message-Id: <200901112130.n0BLU3i1026663@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nikolaos Rangos Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 379561065676 for ; Sun, 11 Jan 2009 21:23:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 0BA058FC08 for ; Sun, 11 Jan 2009 21:23:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0BLNaw8018755 for ; Sun, 11 Jan 2009 21:23:36 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n0BLNano018753; Sun, 11 Jan 2009 21:23:36 GMT (envelope-from nobody) Message-Id: <200901112123.n0BLNano018753@www.freebsd.org> Date: Sun, 11 Jan 2009 21:23:36 GMT From: Nikolaos Rangos To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/130391: Normal users can crash 7.0-RELEASE through "kenv" syscall X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jan 2009 21:30:03 -0000 >Number: 130391 >Category: kern >Synopsis: Normal users can crash 7.0-RELEASE through "kenv" syscall >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 11 21:30:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Nikolaos Rangos >Release: FreeBSD 7.0 RELEASE >Organization: >Environment: FreeBSD localhost.Belkin 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008 root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 80 megs of RAM :) in a VM >Description: While digging for kernel bugs in FreeBSD 7.0-RELEASE I found the following: There is an unchecked call to malloc() in the kenv() syscall. Any value greater zero may be passed from user space to malloc(). Code snippet taken from sys/kern/kern_environment.c (FreeBSD 7.0): 80 kenv(td, uap) 81 struct thread *td; 82 struct kenv_args /* { 83 int what; 84 const char *name; 85 char *value; 86 int len; 87 } */ *uap; 88 { 89 char *name, *value, *buffer = NULL; 90 size_t len, done, needed; 91 int error, i; 92 93 KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0")); 94 95 error = 0; 96 if (uap->what == KENV_DUMP) { 97 #ifdef MAC 98 error = mac_check_kenv_dump(td->td_ucred); 99 if (error) 100 return (error); 101 #endif 102 done = needed = 0; 103 if (uap->len > 0 && uap->value != NULL) 104 [1] buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO); 105 mtx_lock(&kenv_lock); At line 104 uap->len is taken as an argument to malloc() without a size check what makes normal local users able to crash the kernel because of a large memory allocation. The len argument is in this case an int so the greatest value that can be taken by a normal user is 0x7fffffff. FreeBSD 6.4 and MAYBE previous versions of FreeBSD do NOT contain this bug as there is no such call to malloc(). >How-To-Repeat: Use this small testing program: #include #include main() { char env[100]; kenv(KENV_DUMP, NULL, env, 0x7fffffff); } >Fix: >Release-Note: >Audit-Trail: >Unformatted: