From nobody@FreeBSD.org  Sat Jun 29 02:12:32 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id A75179DE
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 29 Jun 2013 02:12:32 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	by mx1.freebsd.org (Postfix) with ESMTP id 6347710AF
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 29 Jun 2013 02:12:32 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r5T2CWq0078786
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 29 Jun 2013 02:12:32 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r5T2CWHZ078785;
	Sat, 29 Jun 2013 02:12:32 GMT
	(envelope-from nobody)
Message-Id: <201306290212.r5T2CWHZ078785@oldred.freebsd.org>
Date: Sat, 29 Jun 2013 02:12:32 GMT
From: Shawn Webb <lattera@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [SECURITY] Potential DoS in RTLD
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         180077
>Category:       kern
>Synopsis:       [rtld] [security] Potential DoS in RTLD
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 29 02:20:00 UTC 2013
>Closed-Date:    Wed Jul 03 00:03:40 UTC 2013
>Last-Modified:  Wed Jul  3 00:40:00 UTC 2013
>Originator:     Shawn Webb
>Release:        FreeBSD 9.1-STABLE
>Organization:
>Environment:
FreeBSD hobby 9.1-RELEASE FreeBSD 9.1-STABLE #6 r251973+5173297: Wed Jun 19 01:49:18 EDT 2013     shawn@shawn-vm-host:/usr/obj/usr/src/sys/SEC  amd64
>Description:
In libexec/rtld-elf/rtld.c, line 854, the variable bloom_size32 is
declared as a signed integer. The variable is first used on line 964,
when it is assigned a user-controlled value. This value could be
overflowed, causing the pointer on line 970 to point to a user-controlled
area. The check on line 973 helps, though, as it makes it so that
nmaskwords (which is used to calculate bloom_size32) must be a power of
two. If the stars align right, an attacker could cause a DoS. I'm working
on verifying whether code execution is possible, but my gut says it's not.
>How-To-Repeat:

>Fix:
Change bloom_size32 to be unsigned.

>Release-Note:
>Audit-Trail:

From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: freebsd-gnats-submit@freebsd.org 
Cc:  
Subject: Re: kern/180077: [rtld] [security] Potential DoS in RTLD
Date: Tue, 02 Jul 2013 13:35:25 +0200

 That value is only "user-controlled" to the extent that it is read from
 the binary being loaded, which is (assumed to be) under the control of
 the user.  There is no bug here, much less a security issue.
 
 DES
 --=20
 Dag-Erling Sm=C3=B8rgrav - des@des.no
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Wed Jul 3 00:03:23 UTC 2013 
State-Changed-Why:  
apparently working as designed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=180077 

From: Shawn Webb <lattera@gmail.com>
To: bug-followup@FreeBSD.org, lattera@gmail.com
Cc:  
Subject: Re: kern/180077: [rtld] [security] Potential DoS in RTLD
Date: Tue, 2 Jul 2013 20:31:21 -0400

 I understand that. I also understand that we're loading shared objects
 that can do what they want, since the purpose of a shared object is to
 execute code. If the author of a shared object wanted to DoS the
 service/system or execute arbitrary code, he could simply add code to
 do so. I just stumbled across this the other day and thought that it
 technically is a bug. A one-word fix would be easy to implement and
 could prevent weird headaches. I wouldn't regard the bug as important
 at all, given what I just previously said. The point is that it's
 still technically a bug.
>Unformatted:
