oss-sec mailing list archives
Re: CVE Request: Denial-of-Service / Unexploitable Memory Corruption in mmap() on OpenBSD
From: cve-assign () mitre org
Date: Tue, 2 Aug 2016 19:48:18 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Any user can trigger a panic by requesting a large mapping that overlaps with an existing mapping.
There is a flaw in uvm_map_isavail() when the requested size is very large.
Due to an integer overflow that can occur when computing "addr + sz" it is possible for the end_ptr map to be computed incorrectly
eventually call uvm_map_fix_space() which performs its own sanity lookup with uvm_mapent_addr_insert(), and panics if an overlapping mapping is added
it does not appear to be possible to make a mapping above the stack segment. All wrap-around mappings lower than this address overlap with the stack segment and result in a panic.
pg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
p = mmap(pg+4096, 0xffffff0000000000, 0, 0, fd, 0);
Use CVE-2016-6522. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXoS62AAoJEHb/MwWLVhi2NtgP/RH6AK7RrZqwEUIPfFv7Mxrr bTD80zaFxPgPUVe+I6ZyUMUVbvzcbzzE0ltZNPAu0i1kgKVlFTJD975jQU1P+8Qq BacOj2pCd7uPGFrkZiYzi8TaRF1guAulQ2RJTmwmGYwULDknm5MeOyDVQLIRor/d FrF5wLzQbi1SOOBeIvD9TLRVgyrBxTZVsYgi+933PATIU/PhntH5q4wsH0TTxWnB q418AtW36B4iatxKMMRPG9L7IHh6ZGp4gfxcmunG3G0CFynX9kh1uW+hMBP+5sM8 OR6PKNSPL9Fol8UN8PesEhgvhfWiRG4ZICHd6WI4ZGHqC4Lm5ndBu+2DH+ccoFFj nl8z1f6yQ1mpCy2aUCTnyrCSOJvIvuAKiyUJPpzVxh/ISrfrWt7Yqx9kZ7fIEUHq l1EESiuB1glkDfjSQ7x0mSv30rRTzEUerP+qpyK9zrp2C8JCSrJyd/KKaEEdZefw JKLC55qbhC9h/JKOsswowMhzd+brb81Ew6gcvKphoJa55WH3sxtFHaFg2t6cgq1Y INHzhIiKnNq01htGDlRtJH2Ox2+KhscEPeBXlVX4bSVigVy5nJ1RDHZpE6J1jL6Y sy/novadV8MyOTUZOSqUeqEf2DJQdZ2aw0WrMPhJeDRhV32VUnbVo8RXoSp9VzsM 9GxgVB48+E3J2PXvBkOF =Ajrp -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Denial-of-Service / Unexploitable Memory Corruption in mmap() on OpenBSD Jesse Hertz (Aug 02)
- Re: CVE Request: Denial-of-Service / Unexploitable Memory Corruption in mmap() on OpenBSD cve-assign (Aug 02)