Bug 208807 - DoS in gsstest
Summary: DoS in gsstest
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-14 21:01 UTC by CTurt
Modified: 2016-05-03 20:44 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description CTurt 2016-04-14 21:01:50 UTC 
`gsstest` function from `sys/kgssapi/gsstest.c` performs `malloc` with an unlimited, user controlled, `size_t` value, and the `M_WAITOK` flag. Passing large values of `input_token.length` through the userland `args` would result in panic on systems where the `gsstest` kernel module is running.

sys/kgssapi/gsstest.c:

static int
gsstest(struct thread *td, struct gsstest_args *uap)
{
	int error;

	switch (uap->a_op) {
	case 1:
                return (gsstest_1(td));

	case 2: {
		struct gsstest_2_args args;
		struct gsstest_2_res res;
		gss_buffer_desc input_token, output_token;
		OM_uint32 junk;

		error = copyin(uap->a_args, &args, sizeof(args));
		if (error)
			return (error);
		input_token.length = args.input_token.length;
		input_token.value = malloc(input_token.length, M_GSSAPI,
		    M_WAITOK);
		...

sys/kgssapi/gssapi.h:

typedef struct gss_buffer_desc_struct {
  size_t length;
  void *value;
} gss_buffer_desc, *gss_buffer_t;

After copying the arguments from userland, the length should be checked against an upper limit.