[Bug 206761] Kernel stack overflow in sysctl handler for kern.binmisc.add

Sun Jan 31 10:04:36 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206761

--- Comment #6 from CTurt <cturt at hardenedbsd.org> ---
I didn't even notice this before, but you're right.

imgact_binmisc_add_entry:

        sx_xlock(&interp_list_sx);
        if (imgact_binmisc_find_entry(xbe->xbe_name) != NULL) {
                sx_xunlock(&interp_list_sx);
                return (EEXIST);
        }

        /* Preallocate a new entry. */
        ibe = imgact_binmisc_new_entry(xbe);
        if (!ibe)
                return (ENOMEM);

        SLIST_INSERT_HEAD(&interpreter_list, ibe, link);
        interp_list_entry_count++;
        sx_xunlock(&interp_list_sx);

If the code ever reaches `return (ENOMEM);`, it is missing an
`sx_xunlock(&interp_list_sx);` call.

Unfortunately, this bug isn't triggerable, because `imgact_binmisc_add_entry`
uses `M_WAITOK` for its allocations, and so can never return `NULL`:

static imgact_binmisc_entry_t *
imgact_binmisc_new_entry(ximgact_binmisc_entry_t *xbe)
{
        ibe = malloc(sizeof(*ibe), M_BINMISC, M_WAITOK|M_ZERO);

        ...

        return (ibe);
}

My recommendation is to just remove the following check altogether:

        if (!ibe)
                return (ENOMEM);

-- 
You are receiving this mail because:
You are on the CC list for the bug.