Date: Sat, 29 Jun 2013 02:12:32 GMT From: Shawn Webb <lattera@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/180077: [SECURITY] Potential DoS in RTLD Message-ID: <201306290212.r5T2CWHZ078785@oldred.freebsd.org> Resent-Message-ID: <201306290220.r5T2K0YX098101@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 180077 >Category: misc >Synopsis: [SECURITY] Potential DoS in RTLD >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 29 02:20:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Shawn Webb >Release: FreeBSD 9.1-STABLE >Organization: >Environment: FreeBSD hobby 9.1-RELEASE FreeBSD 9.1-STABLE #6 r251973+5173297: Wed Jun 19 01:49:18 EDT 2013 shawn@shawn-vm-host:/usr/obj/usr/src/sys/SEC amd64 >Description: In libexec/rtld-elf/rtld.c, line 854, the variable bloom_size32 is declared as a signed integer. The variable is first used on line 964, when it is assigned a user-controlled value. This value could be overflowed, causing the pointer on line 970 to point to a user-controlled area. The check on line 973 helps, though, as it makes it so that nmaskwords (which is used to calculate bloom_size32) must be a power of two. If the stars align right, an attacker could cause a DoS. I'm working on verifying whether code execution is possible, but my gut says it's not. >How-To-Repeat: >Fix: Change bloom_size32 to be unsigned. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306290212.r5T2CWHZ078785>