Bug 134010 - [libgssapi][patch] Buffer overflow and use-after-free in gssd_syscall
Summary: [libgssapi][patch] Buffer overflow and use-after-free in gssd_syscall
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 8.0-CURRENT
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-26 00:20 UTC by Mateusz Guzik
Modified: 2018-01-03 05:16 UTC (History)
0 users

See Also:


Attachments
file.diff (681 bytes, patch)
2009-04-26 00:20 UTC, Mateusz Guzik
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mateusz Guzik 2009-04-26 00:20:01 UTC
1) Buffer overflow

gssd_syscall contains the following code:

char path[MAXPATHLEN];
[..]
error = copyinstr(uap->path, path, sizeof(path), NULL);
[..]
strcpy(sun.sun_path, path);

sun_path's size is 104 while MAXPATHLEN expands to 1024, thus providing string large enough will cause buffer overflow.

2) Use after free

error = priv_check(td, PRIV_NFS_DAEMON);
if (error)
    return (error);

if (kgss_gssd_handle)
    CLNT_DESTROY(kgss_gssd_handle);

error = copyinstr(uap->path, path, sizeof(path), NULL);
if (error)
    return (error);
[..]
kgss_gssd_handle = clnt_reconnect_create(nconf,[..]

So one "correct" call of gssd_syscall will set kgss_gssd_handle, the first call with incorrect path will invalidate it and the second call will cause panic.

Fix: Replace MAXPATHLEN with sizeof(sun.sun_path) and move CLNT_DESTROY(kgss_gssd_handle) after copyinstr.


Patch attached with submission follows:
How-To-Repeat: Using the following code:
int
main(int argc, char **argv)
{
	gssd_syscall(argv[1]);
	return (0);
}


1) Buffer overflow
./a.out `perl -e 'print("A"x1000)'`

2) Use after free

./a.out `perl -e 'print("A"x100)'`; ./a.out `perl -e 'print("A"x2000)'`; ./a.out `perl -e 'print("A"x2000)'`
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:29 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped