[Bug 206761] Kernel stack overflow in sysctl handler for kern.binmisc.add
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Apr 1 11:36:49 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206761
--- Comment #14 from CTurt <cturt at hardenedbsd.org> ---
I've taken another look at the code and found another potential bug. I'm not
certain if this is a bug yet, but I'd also like to bring the following code
from `imgact_binmisc_add_entry` to attention:
/* Make sure we don't have any invalid #'s. */
p = xbe->xbe_interpreter;
while (1) {
p = strchr(p, '#');
if (!p)
break;
p++;
switch(*p) {
case ISM_POUND:
/* "##" */
p++;
break;
case ISM_OLD_ARGV0:
/* "#a" */
p++;
break;
case 0:
default:
/* Anything besides the above is invalid. */
return (EINVAL);
}
}
>From the comment, and usage of a loop, it seems like this code should be
checking that every '#' character in the string follows either another '#' or
an 'a' character, however there is no way that this loop will ever be executed
more than once since all conditions lead to `break` or `return`. In its current
form the code will only validate the first '#' character.
To instead check that _every_ '#' character follows a valid character (and not
just the first '#' character), the `case`s should `continue` the loop as below:
/* Make sure we don't have any invalid #'s. */
p = xbe->xbe_interpreter;
while (1) {
p = strchr(p, '#');
if (!p)
break;
p++;
switch(*p) {
case ISM_POUND:
/* "##" */
p++;
continue;
case ISM_OLD_ARGV0:
/* "#a" */
p++;
continue;
case 0:
default:
/* Anything besides the above is invalid. */
return (EINVAL);
}
}
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-security
mailing list