>Number: 180077 >Category: misc >Synopsis: [SECURITY] Potential DoS in RTLD >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jun 29 02:20:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Shawn Webb >Release: FreeBSD 9.1-STABLE >Organization: >Environment: FreeBSD hobby 9.1-RELEASE FreeBSD 9.1-STABLE #6 r251973+5173297: Wed Jun 19 01:49:18 EDT 2013 shawn@shawn-vm-host:/usr/obj/usr/src/sys/SEC amd64 >Description: In libexec/rtld-elf/rtld.c, line 854, the variable bloom_size32 is declared as a signed integer. The variable is first used on line 964, when it is assigned a user-controlled value. This value could be overflowed, causing the pointer on line 970 to point to a user-controlled area. The check on line 973 helps, though, as it makes it so that nmaskwords (which is used to calculate bloom_size32) must be a power of two. If the stars align right, an attacker could cause a DoS. I'm working on verifying whether code execution is possible, but my gut says it's not. >How-To-Repeat:
>Fix: Change bloom_size32 to be unsigned. >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
