kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel
From: xtraeme%gmail.com@localhost
Date: Tue, 16 Sep 2008 06:50:00 +0000 (UTC)

>Number:         39559
>Category:       kern
>Synopsis:       veriexec(4): too easy to cause a NULL dereference through it 
>in kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 16 06:50:00 +0000 2008
>Originator:     Juan RP
>Release:        Latest
>Organization:
>Environment:
>Description:
While looking at other stuff in kernel, I've found some problems in
the veriexec(4) code.

1) The ioctl handler doesn't check if the fd is writable.
2) Root privilege and a simple small code is enough to cause a NULL
   dereference pointer though the ioctls VERIEXEC_LOAD/QUERY/DELETE.

Will send the example code in a few minutes.



>How-To-Repeat:

>Fix:
1) Check if fd is writable.
2) Check that prop_string_cstring_nocopy returns a valid string before
   passing it to namei() in the ioctl handler.

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel
Previous by Thread: kern/39552: ataraid(4): Intel MatrixRAID multiple volumes support
Next by Thread: Re: kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel
Indexes:

Home | Main Index | Thread Index | Old Index