misc/83687: no bounds check in kern_environment routine setenv, system crashes

Mon Jul 18 19:30:13 GMT 2005

>Number:         83687
>Category:       misc
>Synopsis:       no bounds check in kern_environment routine setenv, system crashes
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 18 19:30:12 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Harry Coin
>Release:        5.4
>Organization:
>Environment:
FreeBSD sueofficerm 5.4-RELEASE FreeBSD 5.4-RELEASE #23: Mon Jul 18 13:34:01 CDT 2005     root at server1.quietfountain.com:/usr/obj/usr/src/sys/DISKLESS  i386

>Description:
kernel kern_environment routine setenv allows dynamic additions and changes to the kernel environment (mostly hints) settings.

When setenv can't find the environment variable to set to the passed in value, it allocates a new one, gives it the passed in name, then sets it to the value.

The problem is there is no bounds checking when it is time to add a variable.  Repeated adds (which can be called from userland routine kenv) will just corrupt memory past the end of the array and eventually crash the system.

bugfix below.
>How-To-Repeat:

just use kenv to add new variables until the system dies.  Somewhere after 512 total variables.

bugfix below.
>Fix:

--- /usr/src/sys/kern/kern_environment.c	Thu Mar 10 11:09:16 2005
+++ /mnt/server1/usr/src/sys/kern/kern_environment.c	Mon Jul 18 13:57:01 2005
@@ -349,6 +349,11 @@
 		/* We add the option if it wasn't found */
 		for (i = 0; (cp = kenvp[i]) != NULL; i++)
 			;
+		if (i>=KENV_SIZE-1) {  // prevent kernel memory corruption due to runaway growth
+		  free(buf,M_KENV); 
+		  sx_xunlock(&kenv_lock);
+		  return -1;
+		}
 		kenvp[i] = buf;
 		kenvp[i + 1] = NULL;
 		sx_xunlock(&kenv_lock);

>Release-Note:
>Audit-Trail:
>Unformatted:
