NetBSD Problem Report #51046

From  Tue Apr  5 14:28:58 2016
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer "Postmaster" (verified OK))
	by (Postfix) with ESMTPS id 004887A20E
	for <>; Tue,  5 Apr 2016 14:28:57 +0000 (UTC)
Message-Id: <>
Date: Tue,  5 Apr 2016 14:28:57 +0000 (UTC)
Subject: kmem_alloc is not always tested, may corrupt stack.
X-Send-Pr-Version: www-1.0

>Number:         51046
>Category:       security
>Synopsis:       kmem_alloc is not always tested, may corrupt stack.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    security-officer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 05 14:30:00 +0000 2016
>Closed-Date:    Sat Apr 16 17:02:53 +0000 2016
>Last-Modified:  Sat Apr 16 17:02:53 +0000 2016
>Originator:     coypu
>Release:        NetBSD 7.99.26
NetBSD  7.99.26 NetBSD 7.99.26 (GENERIC) #5: Sat Apr  2 17:50:15 EDT 2016  maya@ender:/home/maya/obj/sys/arch/amd64/compile/GENERIC amd64
(Filing this with a lot of self doubt, I am not sure that I am correct at all - kern/51045 may be unrelated - but if I am, it may have some security implications. Sorry if I am wasting anyone's time.)

There are several kmem_allocs that are not tested for failure.
This can cause stack corruption, as evidenced in kern/51045, running out of RAM and swap results in kernel panic. I am not even sure that is the true cause of it yet.
It's possible that a clever attacker will use this to corrupt the stack to attack the kernel.

Possible list (using -current line numbers, at commit "Skip looking for .MAKE.JOBS if either of compatMake or forceJob is true.")

Some of these are probably wrong, as I did not read very thoroughly:

sys/uvm/uvm_device.c:218 (Original cause of panic)

Uncertain: sys/uvm/uvm_swap.c:527,631,.. etc.

If you confirm I am correct I will continue searching for more.



From: coypu@SDF.ORG
Subject: Re: security/51046: kmem_alloc is not always tested, may corrupt
Date: Tue, 5 Apr 2016 19:12:21 +0000

 Errr... not testing it is fine because of the second parameter, sorry. I
 don't know why it (apparently) did not work for me.

State-Changed-From-To: open->closed
State-Changed-When: Sat, 16 Apr 2016 17:02:53 +0000
submitter realized the error of their ways


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.