From owner-freebsd-bugs@FreeBSD.ORG  Fri Jan 23 06:50:21 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0420016A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 23 Jan 2004 06:50:21 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 56D9843D41
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 23 Jan 2004 06:50:18 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i0NEoIFR007383	for <freebsd-bugs@freefall.freebsd.org>;
	Fri, 23 Jan 2004 06:50:18 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0NEoIYA007382;
	Fri, 23 Jan 2004 06:50:18 -0800 (PST)
	(envelope-from gnats)
Date: Fri, 23 Jan 2004 06:50:18 -0800 (PST)
Message-Id: <200401231450.i0NEoIYA007382@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Redmar Kerkhoff <redmar@interrupt.nl>
Subject: Re: kern/61513: kernel gets into a panic to put invalid value in
	setsockopt
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Redmar Kerkhoff <redmar@interrupt.nl>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2004 14:50:21 -0000

The following reply was made to PR kern/61513; it has been noted by GNATS.

From: Redmar Kerkhoff <redmar@interrupt.nl>
To: freebsd-gnats-submit@FreeBSD.org, katsuhisa.abe@nifty.com
Cc: redmar@interrupt.nl
Subject: Re: kern/61513: kernel gets into a panic to put invalid value in setsockopt
Date: Fri, 23 Jan 2004 15:44:42 +0100

 >Description:
 "When I put unproper value (uninitialzed pointer) into the 4th argument, "optval" for setsockopt,
 then kernel starts to reboot (not generate core)."
 
 i have traced the problem down to ip6_setpktoption() but the actual
 problem lies in unitialized pointer assignment in setsockopt.
 (found in /sys/kern/uipc_syscalls.c) The setsockopt call is forwarding
 de optval information from userland without handling any address errors.
 ( sopt.sopt_val = uap->val; ) finally exploding in this case at 
 ip6_setpktoption(). 
 
 i looked at netbsd and openbsd and they we're both resistent to
 this bug. the fix is more or less derived from their getsockopt handling.
 
 here's the fix against 5.2-RELEASE. (but can also be applied to current afaik)
 (the only little problem now is the double assignment of sopt.sopt_val, options are
 removing the assignment in the mutex lock or putting the copyin in the mutex
 lock )
 
 
 >Fix:
 
 
 --- uipc_syscalls.orig  Fri Jan 23 10:38:46 2004
 +++ uipc_syscalls.c     Fri Jan 23 10:27:33 2004
 @@ -1308,6 +1308,10 @@
                 return (EFAULT);
         if (uap->valsize < 0)
                 return (EINVAL);
 +       
 +       error = copyin(uap->val, &sopt.sopt_val, sizeof(sopt.sopt_val));
 +       if (error)
 +               return (error);
  
         mtx_lock(&Giant);
         if ((error = fgetsock(td, uap->s, &so, NULL)) == 0) {