On Jul 21, 2015 9:32 AM, "Maxime Villard" <m...@m00nbsd.net> wrote:
>
> Hi,
> I put here a bug among others:
>
> ------------------------- sys/kern/kern_exec.c -------------------------
>
> char *pathbuf = NULL;
>
> [...]
>
> pathbuf = pool_get(&namei_pool, PR_WAITOK);
>
> [...]
>
> /* setup new registers and do misc. setup. */
> if (pack.ep_emul->e_fixup != NULL) {
> if ((*pack.ep_emul->e_fixup)(p, &pack) != 0)
> goto free_pack_abort;
> }
>
> [...]
>
> free_pack_abort:
> free(pack.ep_hdr, M_EXEC, 0);
> exit1(p, W_EXITCODE(0, SIGABRT), EXIT_NORMAL);
>
> /* NOTREACHED */
> atomic_clearbits_int(&pr->ps_flags, PS_INEXEC);
> if (pathbuf != NULL)
> pool_put(&namei_pool, pathbuf);
>
> return (0);
> }
>
> ------------------------------------------------------------------------
>
> 'pathbuf' is leaked.
>
> This path being obviously reachable from userland, it is easy for a
> local (un)privileged user to cause the kernel to run out of memory and
> become unresponsive. OpenBSD 5.7 is affected, and quite certainly
> previous releases.
>
> Exploit here:
>
> http://m00nbsd.net/garbage/OpenBSD_execve-DoS.txt
>
> You can see with vmstat -m that the namei pool becomes enormous.
>
> Found by The Brainy Code Scanner.
>
> It is not the last bug Brainy has found, but it is the last one I
> report. I don't have time for that.
>
> Maxime
Why such a dramatic tone?
--
Ville
