kern/124908: kernel performs inadequate check for incorrect lengths
when sending file descriptors over sockets
Taylor R Campbell
campbell at mumble.net
Mon Jun 23 15:50:01 UTC 2008
>Number: 124908
>Category: kern
>Synopsis: kernel performs inadequate check for incorrect lengths when sending file descriptors over sockets
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jun 23 15:50:00 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Taylor R Campbell
>Release:
>Organization:
>Environment:
I have no FreeBSD machine of my own, but someone kindly offered to run a test program on a machine with the following uname -a output:
FreeBSD dns.deafhogs.org 7.0-RELEASE-p2 FreeBSD 7.0-RELEASE-p2 #1: Thu Jun 19 06:47:36 EDT 2008 chaulmark at nfs.deafhogs.org:/usr/obj/usr/src/sys/GENERIC i386
>Description:
In src/kern/sys/uipc_usrreq.c (rev 1.214), the function unp_internalize does not adequately check that the lengths in control message headers are correct, and as a consequence may calculate a negative number of file descriptors in the user-supplied buffer, leading potentially to disaster later on.
(Thanks to Michael van Elst and Martin Husemann for alerting me to this issue in NetBSD.)
>How-To-Repeat:
Download the program
<http://mumble.net/~campbell/tmp/fbsd-fail.c>
Compile it with
gcc -DFAIL -g -Wall fbsd-fail.c -o fbsd-fail
Run it with
./fbsd-fail foobar
sendmsg(2) should return EINVAL, but it doesn't; instead it has random effects, such as returning EBADF, which suggests that the kernel might be examining and passing to other processes file descriptors that the user did not request.
>Fix:
Add the following test to the list of conditions in unp_internalize for which it will return EINVAL:
cm->cmsg_len < CMSG_ALIGN(sizeof(struct cmsghdr))
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list