NetBSD Problem Report #52078
From www@NetBSD.org Wed Mar 15 16:01:34 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7A0787A21F
for <gnats-bugs@gnats.NetBSD.org>; Wed, 15 Mar 2017 16:01:34 +0000 (UTC)
Message-Id: <20170315160133.82F197A237@mollari.NetBSD.org>
Date: Wed, 15 Mar 2017 16:01:33 +0000 (UTC)
From: n54@gmx.com
Reply-To: n54@gmx.com
To: gnats-bugs@NetBSD.org
Subject: kinfo_getvmmap(3) can panic the kernel
X-Send-Pr-Version: www-1.0
>Number: 52078
>Category: kern
>Synopsis: kinfo_getvmmap(3) can panic the kernel
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Mar 15 16:05:00 +0000 2017
>Closed-Date: Sun Mar 26 19:50:41 +0000 2017
>Last-Modified: Sun Mar 26 19:50:41 +0000 2017
>Originator: Kamil Rytarowski
>Release: NetBSD 7.99.63 amd64
>Organization:
TNF
>Environment:
NetBSD chieftec 7.99.63 NetBSD 7.99.63 (GENERIC) #8: Tue Feb 28 11:56:53 CET 2017 root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
>Description:
A regular user can panic the kernel with 1-liner in C:
kinfo_getvmmap(0, &count)
or
kinfo_getvmmap(1, &count)
Other pid values might be vulnerable as well.
>How-To-Repeat:
/* gcc -lutil main.c -o main */
#include <sys/param.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <util.h>
#include <unistd.h>
#include <stdint.h>
#include <inttypes.h>
void
print(int pid)
{
/* vm.proc.map; */
struct kinfo_vmentry *vm;
size_t count;
size_t i;
printf("Scanning pid %d\n", pid);
vm = kinfo_getvmmap(pid, &count);
printf("vm=%p count=%zu\n", vm, count);
for (i = 0; i < count; i++)
printf("path='%s' start=%" PRIx64 " end=%" PRIx64 " protection=%" PRIx32 "\n",
vm[i].kve_path, vm[i].kve_start, vm[i].kve_end, vm[i].kve_protection);
free(vm);
}
int
main(int argc, char **argv)
{
print(getpid());
// panic the kernel
print(0);
// panic the kernel
print(1);
return 0;
}
>Fix:
N/A
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/52078: kinfo_getvmmap(3) can panic the kernel
Date: Wed, 15 Mar 2017 17:31:03 +0100
Looks like this:
panic: kernel diagnostic assertion "requested_size > 0" failed: file "../../../../kern/subr_kmem.c", line 257
cpu0: Begin traceback...
0xcd5bfcdc: netbsd:db_panic+0x10
0xcd5bfcf4: netbsd:vpanic+0x134
0xcd5bfd0c: netbsd:kern_assert+0x40
0xcd5bfd44: netbsd:kmem_intr_alloc+0x134
0xcd5bfd64: netbsd:kmem_alloc+0x4c
0xcd5bfe7c: netbsd:sysctl_vmproc+0x148
0xcd5bfec4: netbsd:sysctl_dispatch+0xc4
0xcd5bff34: netbsd:sys___sysctl+0xd4
0xcd5bffac: netbsd:syscall+0x9c
cpu0: End traceback...
Martin
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52078 CVS commit: src/sys/uvm
Date: Wed, 15 Mar 2017 16:25:41 -0400
Module Name: src
Committed By: christos
Date: Wed Mar 15 20:25:41 UTC 2017
Modified Files:
src/sys/uvm: uvm_map.c
Log Message:
PR/52078: Don't panic on 0 allocation, check more bounds.
To generate a diff of this commit:
cvs rdiff -u -r1.342 -r1.343 src/sys/uvm/uvm_map.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: kamil@NetBSD.org
State-Changed-When: Sun, 26 Mar 2017 21:50:41 +0200
State-Changed-Why:
Fixed by christos@ Thanks!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.