kern/167107: no kernel malloc size argument check causing system
panic
Petr Lampa
lampa at fit.vutbr.cz
Thu Apr 19 19:10:13 UTC 2012
>Number: 167107
>Category: kern
>Synopsis: no kernel malloc size argument check causing system panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 19 19:10:12 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Petr Lampa
>Release: 9.0-STABLE
>Organization:
BUT FIT
>Environment:
FreeBSD temp 9.0-STABLE FreeBSD 9.0-STABLE #0: Thu Apr 19 11:18:42 CEST 2012 root at temp:/usr/obj/usr/src/sys/TEMP amd64
>Description:
Kernel malloc() doesn't check size argument, so it's possible to raise kernel panic using system call. Simple demonstration program:
#include <sys/ioctl.h>
#include <sys/param.h>
#include <sys/sysctl.h>
#include <sys/uio.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <dev/mfi/mfi_ioctl.h>
int main()
{
struct mfi_ioc_passthru ioc;
struct mfi_dcmd_frame *dcmd;
char buf[1024];
int fd = open("/dev/mfi0", O_RDONLY);
bzero(&ioc, sizeof(ioc));
dcmd = &ioc.ioc_frame;
dcmd->header.cmd = MFI_CMD_DCMD;
dcmd->header.timeout = 0;
dcmd->header.flags = 0;
dcmd->header.data_len = -8192;
dcmd->opcode = MFI_DCMD_CTRL_GETINFO;
ioc.buf = buf;
ioc.buf_size = -8192;
ioctl(fd, MFIIO_PASSTHRU, &ioc);
}
Result:
panic: kmem_malloc(-8192): kmem_map too small: 103632896 total allocated
>How-To-Repeat:
>Fix:
1. Check malloc() size argument obtained from user space in mfi_dcmd_command().
2. Change uma_large_malloc(), uma_small_alloc(), etc. prototypes from int size to size_t size to be consistent with malloc() and kmem_malloc().
3. Check if size argument is not larger then available memory in kmem_malloc() and fail properly with return 0 and not panic.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list