misc/180077: [SECURITY] Potential DoS in RTLD
Shawn Webb
lattera at gmail.com
Sat Jun 29 02:20:00 UTC 2013
>Number: 180077
>Category: misc
>Synopsis: [SECURITY] Potential DoS in RTLD
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 29 02:20:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Shawn Webb
>Release: FreeBSD 9.1-STABLE
>Organization:
>Environment:
FreeBSD hobby 9.1-RELEASE FreeBSD 9.1-STABLE #6 r251973+5173297: Wed Jun 19 01:49:18 EDT 2013 shawn at shawn-vm-host:/usr/obj/usr/src/sys/SEC amd64
>Description:
In libexec/rtld-elf/rtld.c, line 854, the variable bloom_size32 is declared as a signed integer. The variable is first used on line 964, when it is assigned a user-controlled value. This value could be overflowed, causing the pointer on line 970 to point to a user-controlled area. The check on line 973 helps, though, as it makes it so that nmaskwords (which is used to calculate bloom_size32) must be a power of two. If the stars align right, an attacker could cause a DoS. I'm working on verifying whether code execution is possible, but my gut says it's not.
>How-To-Repeat:
>Fix:
Change bloom_size32 to be unsigned.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list