kern/138860: [linux] linux_socketcall() causing buffer overflow
Alexander Best
alexbestms at math.uni-muenster.de
Tue Sep 15 21:20:09 UTC 2009
>Number: 138860
>Category: kern
>Synopsis: [linux] linux_socketcall() causing buffer overflow
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 15 21:20:08 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Alexander Best
>Release: 9.0-CURRENT
>Organization:
>Environment:
FreeBSD otaku 9.0-CURRENT FreeBSD 9.0-CURRENT #0 r197043: Sat Sep 12 01:07:56 CEST 2009 root at otaku:/usr/obj/usr/src/sys/ARUNDEL i386
>Description:
the linux test project (ltp) is a set of small scripts and binaries to test if an environment meets all the criteria necessary to be 100% compatible with linux.
running the ltp scripts revealed a buffer overflow caused by linux_socketcall() which emulates linux socketcall() syscall. the buffer overflow gets reported multiple times during a full ltp run, because several tests use the linux socketcall() syscall and thus linux_socketcall(). one of the tests causing the buffer overflow is testcases/kernel/syscalls/bind/bind01. i've attached the source for bind01.
here's the overflow report by REDZONE which gets reported when the `bind01` binary is being run:
REDZONE: Buffer overflow detected. 9 bytes corrupted after 0xca667283 (3 bytes allocated).
Allocation backtrace:
#0 0xc070cc5a at redzone_setup+0x3a
#1 0xc05b9cf3 at malloc+0x1c3
#2 0xc0af993c at linux_getsockaddr+0x3c
#3 0xc0afa51e at linux_socketcall+0x73e
#4 0xc0760ea6 at syscall+0x2a6
#5 0xc0744800 at Xint0x80_syscall+0x20
Free backtrace:
#0 0xc070cbea at redzone_check+0x17a
#1 0xc05b99ad at free+0x5d
#2 0xc0afa556 at linux_socketcall+0x776
#3 0xc0760ea6 at syscall+0x2a6
#4 0xc0744800 at Xint0x80_syscall+0x20
i've marked this PR as high priority because the buffer overflow could pose a security threat and be used to execute harmful code.
cheers.
alex
[1] http://lists.freebsd.org/pipermail/freebsd-emulation/2009-September/006877.html
>How-To-Repeat:
cd /usr/ports/emulators/linux_dist-gentoo-stage3 && make install
cd /usr/local/gentoo-stage3
cvs -d:pserver:anonymous at ltp.cvs.sourceforge.net:/cvsroot/ltp login
cvs -z3 -d:pserver:anonymous at ltp.cvs.sourceforge.net:/cvsroot/ltp co ltp
chroot /usr/local/gentoo-stage3 bash
cd ltp && ./configure && make all install
cd testcases/kernel/syscalls/bind
./bind01
>Fix:
problem probably lies in /usr/src/sys/compat/linux/linux_socket.c
Patch attached with submission follows:
/*
*
* Copyright (c) International Business Machines Corp., 2001
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See
* the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
* Test Name: bind01
*
* Test Description:
* Verify that bind() returns the proper errno for various failure cases
*
* Usage: <for command-line>
* bind01 [-c n] [-e] [-i n] [-I x] [-P x] [-t]
* where, -c n : Run n copies concurrently.
* -e : Turn on errno logging.
* -i n : Execute test n times.
* -I x : Execute test for x seconds.
* -P x : Pause for x seconds between iterations.
* -t : Turn on syscall timing.
*
* HISTORY
* 07/2001 Ported by Wayne Boyer
*
* RESTRICTIONS:
* None.
*
*/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netinet/in.h>
#include "test.h"
#include "usctest.h"
char *TCID = "bind01"; /* Test program identifier. */
int testno;
int s; /* socket descriptor */
struct sockaddr_in sin1, sin2, sin3;
struct sockaddr_un sun1;
void setup(void), setup0(void), setup1(void), setup2(void),
cleanup(void), cleanup0(void), cleanup1(void);
struct test_case_t { /* test case structure */
int domain; /* PF_INET, PF_UNIX, ... */
int type; /* SOCK_STREAM, SOCK_DGRAM ... */
int proto; /* protocol number (usually 0 = default) */
struct sockaddr *sockaddr; /* socket address buffer */
int salen; /* bind's 3rd argument */
int retval; /* syscall return value */
int experrno; /* expected errno */
void (*setup) (void);
void (*cleanup) (void);
char *desc;
} tdat[] = {
#ifndef UCLINUX
/* Skip since uClinux does not implement memory protection */
{
PF_INET, SOCK_STREAM, 0, (struct sockaddr *)-1,
sizeof(struct sockaddr_in), -1, EFAULT, setup0,
cleanup0, "invalid sockaddr"},
#endif
{
PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin1,
3, -1, EINVAL, setup0, cleanup0, "invalid salen"}, {
0, 0, 0, (struct sockaddr *)&sin1,
sizeof(sin1), -1, ENOTSOCK, setup1, cleanup1,
"invalid socket"}
, {
PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin2,
sizeof(sin2), 0, 0, setup0, cleanup0, "INADDR_ANYPORT"}
, {
PF_UNIX, SOCK_STREAM, 0, (struct sockaddr *)&sun1,
sizeof(sun1), -1, EADDRINUSE, setup0, cleanup0,
"UNIX-domain of current directory"}
, {
PF_INET, SOCK_STREAM, 0, (struct sockaddr *)&sin3,
sizeof(sin3), -1, EADDRNOTAVAIL, setup0, cleanup0,
"non-local address"}
,};
int TST_TOTAL = sizeof(tdat) / sizeof(tdat[0]); /* Total number of test cases. */
int exp_enos[] = { EFAULT, EINVAL, ENOTSOCK, EADDRINUSE, EADDRNOTAVAIL, 0 };
extern int Tst_count;
int main(int argc, char *argv[])
{
int lc; /* loop counter */
char *msg; /* message returned from parse_opts */
/* Parse standard options given to run the test. */
msg = parse_opts(argc, argv, (option_t *) NULL, NULL);
if (msg != (char *)NULL) {
tst_brkm(TBROK, 0, "OPTION PARSING ERROR - %s", msg);
tst_exit();
}
setup();
/* Check looping state if -i option given */
for (lc = 0; TEST_LOOPING(lc); ++lc) {
Tst_count = 0;
for (testno = 0; testno < TST_TOTAL; ++testno) {
tdat[testno].setup();
TEST(bind
(s, tdat[testno].sockaddr, tdat[testno].salen));
if (TEST_RETURN > 0) {
TEST_RETURN = 0;
} else {
TEST_ERROR_LOG(TEST_ERRNO);
}
if (TEST_RETURN != tdat[testno].retval ||
(TEST_RETURN < 0 &&
TEST_ERRNO != tdat[testno].experrno)) {
tst_resm(TFAIL, "%s ; returned"
" %ld (expected %d), errno %d (expected"
" %d)", tdat[testno].desc,
TEST_RETURN, tdat[testno].retval,
TEST_ERRNO, tdat[testno].experrno);
} else {
tst_resm(TPASS, "%s successful",
tdat[testno].desc);
}
tdat[testno].cleanup();
}
}
cleanup();
return 0;
} /* End main */
void setup(void)
{
/* set expected errnos for -e option */
TEST_EXP_ENOS(exp_enos);
TEST_PAUSE; /* if -p option specified */
/* initialize sockaddr's */
sin1.sin_family = AF_INET;
/* this port must be unused! */
sin1.sin_port = htons((getpid() % 32768) + 10000);
sin1.sin_addr.s_addr = INADDR_ANY;
sin2.sin_family = AF_INET;
sin2.sin_port = 0;
sin2.sin_addr.s_addr = INADDR_ANY;
sin3.sin_family = AF_INET;
sin3.sin_port = 0;
/* assumes 10.255.254.253 is not a local interface address! */
sin3.sin_addr.s_addr = htonl(0x0AFFFEFD);
sun1.sun_family = AF_UNIX;
strncpy(sun1.sun_path, ".", sizeof(sun1.sun_path));
}
void cleanup(void)
{
TEST_CLEANUP;
tst_exit();
}
void setup0(void)
{
s = socket(tdat[testno].domain, tdat[testno].type, tdat[testno].proto);
printf("HIER!!!!\n");
if (s < 0)
tst_brkm(TBROK|TERRNO, cleanup, "socket() failed for bind test %d", testno);
}
void cleanup0(void)
{
(void)close(s);
}
void setup1(void)
{
/* setup for the "not a socket" case */
if ((s = open("/dev/null", O_WRONLY)) == -1)
tst_brkm(TBROK|TERRNO, cleanup, "open(/dev/null) failed");
}
void cleanup1(void)
{
s = -1;
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list