Hi,
I put here a bug among others:
------------------------- sys/kern/kern_exec.c -------------------------
char *pathbuf = NULL;
[...]
pathbuf = pool_get(&namei_pool, PR_WAITOK);
[...]
/* setup new registers and do misc. setup. */
if (pack.ep_emul->e_fixup != NULL) {
if ((*pack.ep_emul->e_fixup)(p, &pack) != 0)
goto free_pack_abort;
}
[...]
free_pack_abort:
free(pack.ep_hdr, M_EXEC, 0);
exit1(p, W_EXITCODE(0, SIGABRT), EXIT_NORMAL);
/* NOTREACHED */
atomic_clearbits_int(&pr->ps_flags, PS_INEXEC);
if (pathbuf != NULL)
pool_put(&namei_pool, pathbuf);
return (0);
}
------------------------------------------------------------------------
'pathbuf' is leaked.
This path being obviously reachable from userland, it is easy for a
local (un)privileged user to cause the kernel to run out of memory and
become unresponsive. OpenBSD 5.7 is affected, and quite certainly
previous releases.
Exploit here:
http://m00nbsd.net/garbage/OpenBSD_execve-DoS.txt
You can see with vmstat -m that the namei pool becomes enormous.
Found by The Brainy Code Scanner.
It is not the last bug Brainy has found, but it is the last one I
report. I don't have time for that.
Maxime
