From owner-freebsd-bugs  Thu Nov 28  6:20: 9 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 63BA637B401
	for <freebsd-bugs@hub.freebsd.org>; Thu, 28 Nov 2002 06:20:06 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7DDF643EC5
	for <freebsd-bugs@hub.freebsd.org>; Thu, 28 Nov 2002 06:20:05 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gASEK5x3094538
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 28 Nov 2002 06:20:05 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gASEK52T094537;
	Thu, 28 Nov 2002 06:20:05 -0800 (PST)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0615437B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Nov 2002 06:18:41 -0800 (PST)
Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 110CE43E4A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Nov 2002 06:18:40 -0800 (PST)
	(envelope-from langd@informatik.tu-muenchen.de)
Received: from mailrelay1.informatik.tu-muenchen.de (mailrelay1.informatik.tu-muenchen.de [131.159.254.5])
	by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id C3F6962CC
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Nov 2002 15:18:38 +0100 (MET)
Received: from atrbg11.informatik.tu-muenchen.de (atrbg11.informatik.tu-muenchen.de [131.159.42.129])
	by mailrelay1.informatik.tu-muenchen.de (Postfix) with ESMTP id B31517942
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Nov 2002 15:18:38 +0100 (MET)
Received: by atrbg11.informatik.tu-muenchen.de (Postfix, from userid 20455)
	id 7FEC41388F; Thu, 28 Nov 2002 15:18:38 +0100 (CET)
Message-Id: <20021128141838.7FEC41388F@atrbg11.informatik.tu-muenchen.de>
Date: Thu, 28 Nov 2002 15:18:38 +0100 (CET)
From: Daniel Lang <dl@leo.org>
Reply-To: Daniel Lang <dl@leo.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: bin/45824: malloc() overflow bug
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         45824
>Category:       bin
>Synopsis:       malloc() overflow bug
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 28 06:20:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Daniel Lang
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
LEO
>Environment:
System: FreeBSD atrbg11.informatik.tu-muenchen.de 4.7-STABLE FreeBSD 4.7-STABLE #14: Mon Nov 18 08:57:20 CET 2002 root@atrbg11.informatik.tu-muenchen.de:/usr/obj/usr/src/sys/ATRBG11 i386


>Description:

  malloc() can be passed a large argument, such that the new break adress
  overflows and the segment size is actually reduced, causing the
  application to crash anywhere.


>How-To-Repeat:

example-code to crash:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <pwd.h>

int main(void) {
	
	struct passwd* p;

 	char *buffer1, *buffer2;
    int i;

	/* allocate say 80 MB */
	buffer1 = malloc(80*1024*1024*sizeof(char));

	if(!buffer1) {
		fprintf(stderr,"Could not even allocate buffer1\n");
		exit(-1);
	}
	
	/* now allocate so much, that we get a close overflow */
	buffer2 = malloc(-83876080);

	if(!buffer2) {
		fprintf(stderr,"malloc() of buffer2 fails as expected, no exit\n");
	}
    
	/* do something else */

	fprintf(stdout,"doing other things, but don't touch buffer2\n");

	p = getpwuid(getuid());
	fprintf(stdout,"getpwuid: Name: %s\n",p->pw_name);

    /* write something to buffer1 */
	for(i=0; i<8388608; ++i) {
        strlcpy(buffer1+i,"0123456789",11);
	}

	p = getpwuid(getuid());
	fprintf(stdout,"getpwuid: Name: %s\n",p->pw_name);

	exit(0);
}
[..]

atrbg11:~/tmp>gcc -Wall -g -o malloc_test malloc_test.c
atrbg11:~/tmp>./malloc_test 
zsh: segmentation fault (core dumped)  ./malloc_test
atrbg11:~/tmp>gdb ./malloc_test malloc_test.core 
GNU gdb 4.18 (FreeBSD)
[..]
Core was generated by `malloc_test'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x280de255 in isatty () from /usr/lib/libc.so.4
(gdb) bt 
#0  0x280de255 in isatty () from /usr/lib/libc.so.4
#1  0x280de56d in isatty () from /usr/lib/libc.so.4
#2  0x280dec79 in malloc () from /usr/lib/libc.so.4
#3  0x8048645 in main () at malloc_test.c:24
#4  0x804855a in _start ()
(gdb) 

(unfortunately I did not have the libc.so.4 with symbols at hand).

Please note, that the program _never_ touches buffer2 and still crashes!


>Fix:

--- src/lib/libc/stdlib/malloc.c.orig	Thu Nov 28 09:51:09 2002
+++ src/lib/libc/stdlib/malloc.c	Thu Nov 28 09:53:00 2002
@@ -307,6 +307,14 @@
     result = (caddr_t)pageround((u_long)sbrk(0));
     tail = result + (pages << malloc_pageshift);
 
+	/* check for overflow */
+	if(tail < result) {
+#ifdef EXTRA_SANITY
+	wrterror("(ES): overflow in map_pages; failed\n");
+#endif /* EXTRA_SANITY */
+	return 0;
+	}
+
     if (brk(tail)) {
 #ifdef EXTRA_SANITY
 	wrterror("(ES): map_pages fails\n");

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message