[Bug 208807] DoS in gsstest

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208807

            Bug ID: 208807
           Summary: DoS in gsstest
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

`gsstest` function from `sys/kgssapi/gsstest.c` performs `malloc` with an
unlimited, user controlled, `size_t` value, and the `M_WAITOK` flag. Passing
large values of `input_token.length` through the userland `args` would result
in panic on systems where the `gsstest` kernel module is running.

sys/kgssapi/gsstest.c:

static int
gsstest(struct thread *td, struct gsstest_args *uap)
{
        int error;

        switch (uap->a_op) {
        case 1:
                return (gsstest_1(td));

        case 2: {
                struct gsstest_2_args args;
                struct gsstest_2_res res;
                gss_buffer_desc input_token, output_token;
                OM_uint32 junk;

                error = copyin(uap->a_args, &args, sizeof(args));
                if (error)
                        return (error);
                input_token.length = args.input_token.length;
                input_token.value = malloc(input_token.length, M_GSSAPI,
                    M_WAITOK);
                ...

sys/kgssapi/gssapi.h:

typedef struct gss_buffer_desc_struct {
  size_t length;
  void *value;
} gss_buffer_desc, *gss_buffer_t;

After copying the arguments from userland, the length should be checked against
an upper limit.

-- 
You are receiving this mail because:
You are the assignee for the bug.