1) Buffer overflow gssd_syscall contains the following code: char path[MAXPATHLEN]; [..] error = copyinstr(uap->path, path, sizeof(path), NULL); [..] strcpy(sun.sun_path, path); sun_path's size is 104 while MAXPATHLEN expands to 1024, thus providing string large enough will cause buffer overflow. 2) Use after free error = priv_check(td, PRIV_NFS_DAEMON); if (error) return (error); if (kgss_gssd_handle) CLNT_DESTROY(kgss_gssd_handle); error = copyinstr(uap->path, path, sizeof(path), NULL); if (error) return (error); [..] kgss_gssd_handle = clnt_reconnect_create(nconf,[..] So one "correct" call of gssd_syscall will set kgss_gssd_handle, the first call with incorrect path will invalidate it and the second call will cause panic. Fix: Replace MAXPATHLEN with sizeof(sun.sun_path) and move CLNT_DESTROY(kgss_gssd_handle) after copyinstr. Patch attached with submission follows: How-To-Repeat: Using the following code: int main(int argc, char **argv) { gssd_syscall(argv[1]); return (0); } 1) Buffer overflow ./a.out `perl -e 'print("A"x1000)'` 2) Use after free ./a.out `perl -e 'print("A"x100)'`; ./a.out `perl -e 'print("A"x2000)'`; ./a.out `perl -e 'print("A"x2000)'`
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
fixed by other changes years ago