NetBSD Problem Report #52573

From www@NetBSD.org  Mon Sep 25 22:52:07 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 265317A209
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 25 Sep 2017 22:52:07 +0000 (UTC)
Message-Id: <20170925225205.EB3897A2A9@mollari.NetBSD.org>
Date: Mon, 25 Sep 2017 22:52:05 +0000 (UTC)
From: bruno@clisp.org
Reply-To: bruno@clisp.org
To: gnats-bugs@NetBSD.org
Subject: Insufficient parameter validation in sysctl VM_PROC_MAP leads to kernel panic
X-Send-Pr-Version: www-1.0

>Number:         52573
>Category:       kern
>Synopsis:       Insufficient parameter validation in sysctl VM_PROC_MAP leads to kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    pgoyette
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 25 22:55:00 +0000 2017
>Closed-Date:    Sun Oct 01 10:25:38 +0000 2017
>Last-Modified:  Sun Oct 01 10:35:00 +0000 2017
>Originator:     Bruno Haible
>Release:        netbsd-8 201709170600Z
>Organization:
GNU
>Environment:
NetBSD netbsd8 8.0_BETA NetBSD 8.0_BETA (GENERIC.201709170600Z) i386
>Description:
When a program passes to the sysctl VM_PROC_MAP a length that is not a multiple of 1128, the kernel will clear a kernel memory region that is 1128 bytes larger than the one it has allocated.

Look at the code in
http://bxr.su/NetBSD/sys/uvm/uvm_map.c#fill_vmentries

Example:
elem_size = 1128
*oldlenp = 7897 = 7*1128+1
line 4970: count = 7
line 4973: vmesize = 7*1128 = 7896
line 4991: allocates 7896 bytes of memory
line 4994 at the 8th iteration:
  count = 7
  dp = oldp + 7*elem_size = oldp + 7896
  The condition dp - (char *)oldp) < *oldlenp) is true (7896 < 7897)
  therefore it invokes fill_vmentry.
line 4880 memset clears additional 1128 bytes.
In total 8*1128 = 9024 bytes of memory are overwritten at vme, although only 7896 bytes of memory were allocated.

>How-To-Repeat:
$ wget https://haible.de/bruno/gnu/netbsd-VM_PROC_MAP-bug.c
$ gcc netbsd-VM_PROC_MAP-bug.c
$ sync; sync; sync
$ ./a.out
=> green screen and reboot

>Fix:
At line 4994, replace
if (oldp && (dp - (char *)oldp) < *oldlenp)
by
if (oldp && (dp - (char *)oldp) < vmesize)
or
if (oldp && count * sizeof(*vme) < vmesize)
(then you can also remove 'dp' from this loop; it is not used in this loop.

Similarly, line 5012 probably needs attention as well.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->pgoyette
Responsible-Changed-By: pgoyette@NetBSD.org
Responsible-Changed-When: Sun, 01 Oct 2017 01:06:00 +0000
Responsible-Changed-Why:
I'll take it


From: "Paul Goyette" <pgoyette@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52573 CVS commit: src/sys/uvm
Date: Sun, 1 Oct 2017 01:45:02 +0000

 Module Name:	src
 Committed By:	pgoyette
 Date:		Sun Oct  1 01:45:02 UTC 2017

 Modified Files:
 	src/sys/uvm: uvm_map.c

 Log Message:
 Fix user-triggerable kernel crash as reported in PR kern/52573 (from
 Bruno Haible).

 XXX Pull-up to netbsd-8


 To generate a diff of this commit:
 cvs rdiff -u -r1.351 -r1.352 src/sys/uvm/uvm_map.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->pending-pullups
State-Changed-By: pgoyette@NetBSD.org
State-Changed-When: Sun, 01 Oct 2017 01:52:04 +0000
State-Changed-Why:
Fix committing, pending pullup #8-294


State-Changed-From-To: pending-pullups->closed
State-Changed-By: pgoyette@NetBSD.org
State-Changed-When: Sun, 01 Oct 2017 10:25:38 +0000
State-Changed-Why:
Pullups completed.

Thanks for the PR, and for the analysis and fix.


From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/52573 CVS commit: [netbsd-8] src/sys/uvm
Date: Sun, 1 Oct 2017 10:20:04 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Sun Oct  1 10:20:03 UTC 2017

 Modified Files:
 	src/sys/uvm [netbsd-8]: uvm_map.c

 Log Message:
 Pull up following revision(s) (requested by pgoyette in ticket #294):
 	sys/uvm/uvm_map.c: revision 1.352
 Fix user-triggerable kernel crash as reported in PR kern/52573 (from
 Bruno Haible).


 To generate a diff of this commit:
 cvs rdiff -u -r1.351 -r1.351.2.1 src/sys/uvm/uvm_map.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.