From nobody@FreeBSD.org  Mon Jul 18 19:21:40 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2AEC016A41C
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Jul 2005 19:21:40 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EB22B43D45
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Jul 2005 19:21:39 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j6IJLdw2026341
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 18 Jul 2005 19:21:39 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j6IJLdsj026340;
	Mon, 18 Jul 2005 19:21:39 GMT
	(envelope-from nobody)
Message-Id: <200507181921.j6IJLdsj026340@www.freebsd.org>
Date: Mon, 18 Jul 2005 19:21:39 GMT
From: Harry Coin <harrycoin@qconline.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: no bounds check in kern_environment routine setenv, system crashes
X-Send-Pr-Version: www-2.3

>Number:         83687
>Category:       kern
>Synopsis:       [patch] no bounds check in kern_environment routine setenv, system crashes
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 18 19:30:12 GMT 2005
>Closed-Date:    Sun Jul 31 10:29:44 GMT 2005
>Last-Modified:  Sun Jul 31 10:29:44 GMT 2005
>Originator:     Harry Coin
>Release:        5.4
>Organization:
>Environment:
FreeBSD sueofficerm 5.4-RELEASE FreeBSD 5.4-RELEASE #23: Mon Jul 18 13:34:01 CDT 2005     root@server1.quietfountain.com:/usr/obj/usr/src/sys/DISKLESS  i386

>Description:
kernel kern_environment routine setenv allows dynamic additions and changes to the kernel environment (mostly hints) settings.

When setenv can't find the environment variable to set to the passed in value, it allocates a new one, gives it the passed in name, then sets it to the value.

The problem is there is no bounds checking when it is time to add a variable.  Repeated adds (which can be called from userland routine kenv) will just corrupt memory past the end of the array and eventually crash the system.

bugfix below.
>How-To-Repeat:

just use kenv to add new variables until the system dies.  Somewhere after 512 total variables.

bugfix below.
>Fix:
--- /usr/src/sys/kern/kern_environment.c	Thu Mar 10 11:09:16 2005
+++ /mnt/server1/usr/src/sys/kern/kern_environment.c	Mon Jul 18 13:57:01 2005
@@ -349,6 +349,11 @@
 		/* We add the option if it wasn't found */
 		for (i = 0; (cp = kenvp[i]) != NULL; i++)
 			;
+		if (i>=KENV_SIZE-1) {  // prevent kernel memory corruption due to runaway growth
+		  free(buf,M_KENV); 
+		  sx_xunlock(&kenv_lock);
+		  return -1;
+		}
 		kenvp[i] = buf;
 		kenvp[i + 1] = NULL;
 		sx_xunlock(&kenv_lock);

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: netchild 
State-Changed-When: Sun Jul 31 10:29:20 GMT 2005 
State-Changed-Why:  
Modified version committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=83687 
>Unformatted:
