Hi,
I put here a bug among others:
---------------------- sys/compat/linux/linux_socket.c ----------------------
969 if (lsa.optval != NULL) {
m = m_get(M_WAIT, MT_SOOPTS);
error = copyin(lsa.optval, mtod(m, caddr_t), lsa.optlen);
if (error) {
(void) m_free(m);
goto bad;
}
m->m_len = lsa.optlen;
}
so = (struct socket *)fp->f_data;
if (so->so_proto && level == IPPROTO_TCP && name == TCP_NODELAY &&
so->so_proto->pr_domain->dom_family == AF_LOCAL &&
so->so_proto->pr_protocol == PF_LOCAL) {
/* ignore it */
error = 0;
goto bad;
}
error = sosetopt(so, level, name, m);
bad:
FRELE(fp, p);
return (error);
-----------------------------------------------------------------------------
'm' is allocated and filled in, but later the function may jump to 'bad' and
return without freeing it.
'lsa' being user-controllable, it is easy for a local (un)privileged user to
cause the kernel to run out of memory and become unresponsive. OpenBSD 5.6/i386
is affected, and perhaps previous releases.
Exploit here:
http://m00nbsd.net/garbage/OpenBSD_Linux_DoS.c
Binary sample:
http://m00nbsd.net/garbage/OpenBSD_Linux_DoS.tar.gz
Found by my code scanner.
Maxime
