Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Dec 2009 21:44:55 GMT
From:      Jakub Klama <jakub.klama@uj.edu.pl>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/142083: buffer overflow in vfs_mountroot_try (sys/kern/vfs_mount.c)
Message-ID:  <200912272144.nBRLitUD015488@www.freebsd.org>
Resent-Message-ID: <200912272150.nBRLo16e014288@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         142083
>Category:       kern
>Synopsis:       buffer overflow in vfs_mountroot_try (sys/kern/vfs_mount.c)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 27 21:50:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Jakub Klama
>Release:        7.0-RELEASE-p5
>Organization:
>Environment:
FreeBSD remotehell.sc.czest.pl 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #0: Fri Nov 14 13:26:06 CET 2008     root@remotehell.sc.czest.pl:/usr/obj/usr/src/sys/REMOTEHELL  i386
>Description:
There's memory corruption after "vfsname" or "path" buffers by one byte (trailing \0), reported by WITNESS when user enters mount path with elements longer than MFSNAMELEN or MNAMELEN. It's caused by too short buffer malloc'd in lines 1722 and 1723 of vfs_mount.c (or too long string sscanf'd):

http://fxr.watson.org/fxr/source/kern/vfs_mount.c?v=FREEBSD7#L1721:

1721         /* parse vfs name and path */
1722         vfsname = malloc(MFSNAMELEN, M_MOUNT, M_WAITOK);
1723         path = malloc(MNAMELEN, M_MOUNT, M_WAITOK);
1724         vfsname[0] = path[0] = 0;
1725         sprintf(patt, "%%%d[a-z0-9]:%%%ds", MFSNAMELEN, MNAMELEN);
1726         if (sscanf(mountfrom, patt, vfsname, path) < 1)
1727                 goto out;
>How-To-Repeat:
Enter any string longer than 16 characters without ":" in it with WITNESS kernel option enabled in mountroot prompt.
>Fix:
a) malloc one byte longer buffer (and adjust other kernel structures, if any, to use one byte longer buffer)
b) sscanf() MFSNAMELEN-1 instead of MFSNAMELEN and MNAMELEN-1 instead of MNAMELEN

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912272144.nBRLitUD015488>