From nobody@FreeBSD.org  Sun Dec 27 21:44:56 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9B9C41065695
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 27 Dec 2009 21:44:56 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 5DDB18FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 27 Dec 2009 21:44:56 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id nBRLitfY015489
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 27 Dec 2009 21:44:55 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id nBRLitUD015488;
	Sun, 27 Dec 2009 21:44:55 GMT
	(envelope-from nobody)
Message-Id: <200912272144.nBRLitUD015488@www.freebsd.org>
Date: Sun, 27 Dec 2009 21:44:55 GMT
From: Jakub Klama <jakub.klama@uj.edu.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: buffer overflow in vfs_mountroot_try (sys/kern/vfs_mount.c)
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         142083
>Category:       kern
>Synopsis:       [vfs] buffer overflow in vfs_mountroot_try (sys/kern/vfs_mount.c)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 27 21:50:01 UTC 2009
>Closed-Date:    Tue Nov 13 20:56:14 UTC 2012
>Last-Modified:  Tue Nov 13 20:56:14 UTC 2012
>Originator:     Jakub Klama
>Release:        7.0-RELEASE-p5
>Organization:
>Environment:
FreeBSD remotehell.sc.czest.pl 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #0: Fri Nov 14 13:26:06 CET 2008     root@remotehell.sc.czest.pl:/usr/obj/usr/src/sys/REMOTEHELL  i386
>Description:
There's memory corruption after "vfsname" or "path" buffers by one byte
(trailing \0), reported by WITNESS when user enters mount path with
elements longer than MFSNAMELEN or MNAMELEN. It's caused by too short
buffer malloc'd in lines 1722 and 1723 of vfs_mount.c (or too long string
sscanf'd):

http://fxr.watson.org/fxr/source/kern/vfs_mount.c?v=FREEBSD7#L1721:

1721         /* parse vfs name and path */
1722         vfsname = malloc(MFSNAMELEN, M_MOUNT, M_WAITOK);
1723         path = malloc(MNAMELEN, M_MOUNT, M_WAITOK);
1724         vfsname[0] = path[0] = 0;
1725         sprintf(patt, "%%%d[a-z0-9]:%%%ds", MFSNAMELEN, MNAMELEN);
1726         if (sscanf(mountfrom, patt, vfsname, path) < 1)
1727                 goto out;
>How-To-Repeat:
Enter any string longer than 16 characters without ":" in it with WITNESS
kernel option enabled in mountroot prompt.
>Fix:
a) malloc one byte longer buffer (and adjust other kernel structures,
if any, to use one byte longer buffer)
b) sscanf() MFSNAMELEN-1 instead of MFSNAMELEN and MNAMELEN-1 instead of
MNAMELEN

>Release-Note:
>Audit-Trail:

From: Jakub Klama <jakub.klama@uj.edu.pl>
To: bug-followup@FreeBSD.org, jakub.klama@uj.edu.pl
Cc:  
Subject: Re: kern/142083: buffer overflow in vfs_mountroot_try
 (sys/kern/vfs_mount.c)
Date: Sun, 27 Dec 2009 23:02:07 +0100

 About bug report: sorry for mentioning WITNESS, i was of course thinking of DEBUG_MEMGUARD.
State-Changed-From-To: open->feedback 
State-Changed-By: jh 
State-Changed-When: Thu Nov 24 19:54:36 UTC 2011 
State-Changed-Why:  
Is this still a problem after r214006? As far as I can see the code in 
question has been removed in r214006. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=142083 
State-Changed-From-To: feedback->closed 
State-Changed-By: eadler 
State-Changed-When: Tue Nov 13 20:56:13 UTC 2012 
State-Changed-Why:  
Feedback timeout. Please email me and I will reopen if needed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=142083 
>Unformatted:
