kern/84033: kenvp table size not checked
Anish Mistry
amistry at am-productions.biz
Mon Jul 25 05:30:11 GMT 2005
>Number: 84033
>Category: kern
>Synopsis: kenvp table size not checked
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 25 05:30:09 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Anish Mistry
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
AM Productions
>Environment:
FreeBSD littleguy.am-productions.biz 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat Jul 23 17:27:32 EDT 2005 amistry at littleguy.am-productions.biz:/usr/obj/usr/src/sys/LITTLEGUY i386
>Description:
In kern_environment.c the kernel enviroment table size isn't checked and you can overflow the KENV_SIZE table size.
>How-To-Repeat:
Run as root the test script with a large value range, which cause the system to panic. eg. ./test.sh 1 5555
The patch fixes the problem and limits the size of the table to KENV_SIZE-1 entries.
>Fix:
--- kern_environment.c.patch begins here ---
--- /sys/kern/kern_environment.c.orig Sat Jul 23 16:43:32 2005
+++ /sys/kern/kern_environment.c Sat Jul 23 16:46:28 2005
@@ -349,6 +349,11 @@
/* We add the option if it wasn't found */
for (i = 0; (cp = kenvp[i]) != NULL; i++)
;
+ if (i >= KENV_SIZE-1) {
+ sx_xunlock(&kenv_lock);
+ free(buf,M_KENV);
+ return (-1);
+ }
kenvp[i] = buf;
kenvp[i + 1] = NULL;
sx_xunlock(&kenv_lock);
--- kern_environment.c.patch ends here ---
--- test.sh begins here ---
#!/bin/sh
#
#
START=$1
END=$2
COUNT=$START
while [ "$COUNT" -le "$END" ]
do
kenv $COUNT="$COUNT"
COUNT=`expr $COUNT + 1`
done
exit 0
--- test.sh ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list