NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/52078: kinfo_getvmmap(3) can panic the kernel
>Number: 52078
>Category: kern
>Synopsis: kinfo_getvmmap(3) can panic the kernel
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Mar 15 16:05:00 +0000 2017
>Originator: Kamil Rytarowski
>Release: NetBSD 7.99.63 amd64
>Organization:
TNF
>Environment:
NetBSD chieftec 7.99.63 NetBSD 7.99.63 (GENERIC) #8: Tue Feb 28 11:56:53 CET 2017 root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
>Description:
A regular user can panic the kernel with 1-liner in C:
kinfo_getvmmap(0, &count)
or
kinfo_getvmmap(1, &count)
Other pid values might be vulnerable as well.
>How-To-Repeat:
/* gcc -lutil main.c -o main */
#include <sys/param.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <util.h>
#include <unistd.h>
#include <stdint.h>
#include <inttypes.h>
void
print(int pid)
{
/* vm.proc.map; */
struct kinfo_vmentry *vm;
size_t count;
size_t i;
printf("Scanning pid %d\n", pid);
vm = kinfo_getvmmap(pid, &count);
printf("vm=%p count=%zu\n", vm, count);
for (i = 0; i < count; i++)
printf("path='%s' start=%" PRIx64 " end=%" PRIx64 " protection=%" PRIx32 "\n",
vm[i].kve_path, vm[i].kve_start, vm[i].kve_end, vm[i].kve_protection);
free(vm);
}
int
main(int argc, char **argv)
{
print(getpid());
// panic the kernel
print(0);
// panic the kernel
print(1);
return 0;
}
>Fix:
N/A
Home |
Main Index |
Thread Index |
Old Index