From amistry@am-productions.biz  Mon Jul 25 05:26:38 2005
Return-Path: <amistry@am-productions.biz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 50DEC16A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 25 Jul 2005 05:26:38 +0000 (GMT)
	(envelope-from amistry@am-productions.biz)
Received: from smtp1.fuse.net (mail-out1.fuse.net [216.68.8.174])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B777F43D48
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 25 Jul 2005 05:26:37 +0000 (GMT)
	(envelope-from amistry@am-productions.biz)
Received: from gx4.fuse.net ([66.42.172.210]) by smtp1.fuse.net
          (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP
          id <20050725052636.DATR4201.smtp1.fuse.net@gx4.fuse.net>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Mon, 25 Jul 2005 01:26:36 -0400
Received: from bigguy.am-productions.biz ([66.42.172.210]) by gx4.fuse.net
          (InterMail vG.1.02.00.02 201-2136-104-102-20041210) with ESMTP
          id <20050725052636.BYEY12227.gx4.fuse.net@bigguy.am-productions.biz>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Mon, 25 Jul 2005 01:26:36 -0400
Message-Id: <1122269180.0@bigguy.am-productions.biz>
Date: Mon, 25 Jul 2005 01:26:20 -0400
From: "Anish Mistry" <amistry@am-productions.biz>
To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@freebsd.org>
Cc: Harry Coin <harrycoin@qconline.com>
Subject: kenvp table size not checked
X-Send-Pr-Version: gtk-send-pr 0.4.4 
X-GNATS-Notify:

>Number:         84033
>Category:       kern
>Synopsis:       [patch] [panic] kenvp table size not checked
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 25 05:30:09 GMT 2005
>Closed-Date:    Mon Aug 01 14:32:48 GMT 2005
>Last-Modified:  Mon Aug 01 14:32:48 GMT 2005
>Originator:     Anish Mistry
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
AM Productions 
>Environment:


FreeBSD littleguy.am-productions.biz 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat Jul 23 17:27:32 EDT 2005     amistry@littleguy.am-productions.biz:/usr/obj/usr/src/sys/LITTLEGUY  i386



>Description:


In kern_environment.c the kernel enviroment table size isn't checked and
you can overflow the KENV_SIZE table size.


>How-To-Repeat:


Run as root the test script with a large value range, which cause the
system to panic. eg. ./test.sh 1 5555

The patch fixes the problem and limits the size of the table to
KENV_SIZE-1 entries.


>Fix:


--- kern_environment.c.patch begins here ---
--- /sys/kern/kern_environment.c.orig	Sat Jul 23 16:43:32 2005
+++ /sys/kern/kern_environment.c	Sat Jul 23 16:46:28 2005
@@ -349,6 +349,11 @@
 		/* We add the option if it wasn't found */
 		for (i = 0; (cp = kenvp[i]) != NULL; i++)
 			;
+		if (i >= KENV_SIZE-1) {
+			sx_xunlock(&kenv_lock);
+			free(buf,M_KENV);
+			return (-1);
+		}
 		kenvp[i] = buf;
 		kenvp[i + 1] = NULL;
 		sx_xunlock(&kenv_lock);
--- kern_environment.c.patch ends here ---
--- test.sh begins here ---
#!/bin/sh
#
# 
START=$1
END=$2
COUNT=$START
while [ "$COUNT" -le "$END" ]
do
	kenv $COUNT="$COUNT"
	COUNT=`expr $COUNT + 1`
done
exit 0
--- test.sh ends here ---



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: avatar 
State-Changed-When: Mon Aug 1 14:32:11 GMT 2005 
State-Changed-Why:  
Duplicate of kern/83687. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84033 
>Unformatted:
