https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295520
Bug ID: 295520
Summary: Linux compat getsockopt IPV6_NEXTHOP performs
unbounded kernel malloc based on user-supplied optlen
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Reclassified per secteam guidance — originally reported to [email protected],
directed to bugs.FreeBSD.org as a non-security kernel bug.
In sys/compat/linux/linux_socket.c, the Linux compatibility layer's
getsockopt()
handler for IPV6_NEXTHOP allocates kernel memory based on the user-supplied
optlen
parameter without imposing an upper bound.
While this requires the Linux compatibility module to be loaded (a root-only
operation), a process running under Linux emulation can trigger excessive
kernel
memory allocation by passing a very large optlen value.
Suggested fix: Cap optlen to a reasonable maximum (e.g., sizeof(struct
sockaddr_in6)) before the kernel allocation.
--
You are receiving this mail because:
You are the assignee for the bug.
