[Bug 217435] Users can panic the kernel by tracing kevents with unusual arguments.
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Mar 12 13:49:01 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217435
--- Comment #2 from commit-hook at freebsd.org ---
A commit references this bug:
Author: kib
Date: Sun Mar 12 13:48:25 UTC 2017
New revision: 315155
URL: https://svnweb.freebsd.org/changeset/base/315155
Log:
Ktracing kevent(2) calls with unusual arguments might leads to an
overly large allocation requests.
When ktrace-ing io, sys_kevent() allocates memory to copy the
requested changes and reported events. Allocations are sized by the
incoming syscall lengths arguments, which are user-controlled, and
might cause overflow in calculations or too large allocations.
Since io trace chunks are limited by ktr_geniosize, there is no sense
it even trying to satisfy unbounded allocations. Export ktr_geniosize
and clamp the buffers sizes in advance.
PR: 217435
Reported by: Tim Newsham <tim.newsham at nccgroup.trust>
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Changes:
head/sys/kern/kern_event.c
head/sys/kern/kern_ktrace.c
head/sys/sys/ktrace.h
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list