Date: Fri, 23 Jan 2004 06:50:18 -0800 (PST) From: Redmar Kerkhoff <redmar@interrupt.nl> To: freebsd-bugs@FreeBSD.org Subject: Re: kern/61513: kernel gets into a panic to put invalid value in setsockopt Message-ID: <200401231450.i0NEoIYA007382@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/61513; it has been noted by GNATS.
From: Redmar Kerkhoff <redmar@interrupt.nl>
To: freebsd-gnats-submit@FreeBSD.org, katsuhisa.abe@nifty.com
Cc: redmar@interrupt.nl
Subject: Re: kern/61513: kernel gets into a panic to put invalid value in setsockopt
Date: Fri, 23 Jan 2004 15:44:42 +0100
>Description:
"When I put unproper value (uninitialzed pointer) into the 4th argument, "optval" for setsockopt,
then kernel starts to reboot (not generate core)."
i have traced the problem down to ip6_setpktoption() but the actual
problem lies in unitialized pointer assignment in setsockopt.
(found in /sys/kern/uipc_syscalls.c) The setsockopt call is forwarding
de optval information from userland without handling any address errors.
( sopt.sopt_val = uap->val; ) finally exploding in this case at
ip6_setpktoption().
i looked at netbsd and openbsd and they we're both resistent to
this bug. the fix is more or less derived from their getsockopt handling.
here's the fix against 5.2-RELEASE. (but can also be applied to current afaik)
(the only little problem now is the double assignment of sopt.sopt_val, options are
removing the assignment in the mutex lock or putting the copyin in the mutex
lock )
>Fix:
--- uipc_syscalls.orig Fri Jan 23 10:38:46 2004
+++ uipc_syscalls.c Fri Jan 23 10:27:33 2004
@@ -1308,6 +1308,10 @@
return (EFAULT);
if (uap->valsize < 0)
return (EINVAL);
+
+ error = copyin(uap->val, &sopt.sopt_val, sizeof(sopt.sopt_val));
+ if (error)
+ return (error);
mtx_lock(&Giant);
if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401231450.i0NEoIYA007382>