From owner-freebsd-bugs@freebsd.org Fri Apr 1 11:36:49 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE8F4AEB943 for ; Fri, 1 Apr 2016 11:36:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A38E51F89 for ; Fri, 1 Apr 2016 11:36:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u31BanbI073011 for ; Fri, 1 Apr 2016 11:36:49 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206761] Kernel stack overflow in sysctl handler for kern.binmisc.add Date: Fri, 01 Apr 2016 11:36:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cturt@hardenedbsd.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Apr 2016 11:36:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206761 --- Comment #14 from CTurt --- I've taken another look at the code and found another potential bug. I'm not certain if this is a bug yet, but I'd also like to bring the following code from `imgact_binmisc_add_entry` to attention: /* Make sure we don't have any invalid #'s. */ p =3D xbe->xbe_interpreter; while (1) { p =3D strchr(p, '#'); if (!p) break; p++; switch(*p) { case ISM_POUND: /* "##" */ p++; break; case ISM_OLD_ARGV0: /* "#a" */ p++; break; case 0: default: /* Anything besides the above is invalid. */ return (EINVAL); } } >From the comment, and usage of a loop, it seems like this code should be checking that every '#' character in the string follows either another '#' = or an 'a' character, however there is no way that this loop will ever be execu= ted more than once since all conditions lead to `break` or `return`. In its cur= rent form the code will only validate the first '#' character. To instead check that _every_ '#' character follows a valid character (and = not just the first '#' character), the `case`s should `continue` the loop as be= low: /* Make sure we don't have any invalid #'s. */ p =3D xbe->xbe_interpreter; while (1) { p =3D strchr(p, '#'); if (!p) break; p++; switch(*p) { case ISM_POUND: /* "##" */ p++; continue; case ISM_OLD_ARGV0: /* "#a" */ p++; continue; case 0: default: /* Anything besides the above is invalid. */ return (EINVAL); } } --=20 You are receiving this mail because: You are the assignee for the bug.=