[Bug 208985] DoS / heap overflow in bpf_stats_sysctl
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Apr 24 07:03:24 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208985
--- Comment #3 from CTurt <cturt at hardenedbsd.org> ---
Thanks for your response.
I firmly believe any `malloc` with an unchecked size from userland to
absolutely be a bug. As demonstrated by my PoC code, when accessible, this can
be used to at minimum panic a system. Even when accessible to root only, having
a bug like this present makes the system slightly less stable, no matter how
rarely it may occur.
It shouldn't really matter what requirements the function has; it is always
better to fix it to eliminate the possibility of this becoming critical in the
future if the code were ever to be altered. For example, you mention having
interest in altering this code in the future such that under a rare
circumstance, it would be accessible with normal user privileges.
My original patch set an arbitrary upper limit, which may not be appropriate.
However, if this limit is either increased or changed to be variable, I would
suggest removing the `M_WAITOK` flag and returning an error for when the call
fails instead.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-net
mailing list