Re: CVE Request: Denial-of-Service / Unexploitable Memory Corruption in mmap() on OpenBSD

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Any user can trigger a panic by requesting a large mapping
> that overlaps with an existing mapping.

> There is a flaw in uvm_map_isavail() when the requested size is very
> large.

> Due to an integer overflow that can occur when computing
> "addr + sz" it is possible for the end_ptr map to be
> computed incorrectly

> eventually call uvm_map_fix_space() which
> performs its own sanity lookup with uvm_mapent_addr_insert(),
> and panics if an overlapping mapping is added

> it does not appear to be possible
> to make a mapping above the stack segment. All wrap-around mappings
> lower than this address overlap with the stack segment and result
> in a panic.

>     pg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

>     p = mmap(pg+4096, 0xffffff0000000000, 0, 0, fd, 0);

Use CVE-2016-6522.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXoS62AAoJEHb/MwWLVhi2NtgP/RH6AK7RrZqwEUIPfFv7Mxrr
bTD80zaFxPgPUVe+I6ZyUMUVbvzcbzzE0ltZNPAu0i1kgKVlFTJD975jQU1P+8Qq
BacOj2pCd7uPGFrkZiYzi8TaRF1guAulQ2RJTmwmGYwULDknm5MeOyDVQLIRor/d
FrF5wLzQbi1SOOBeIvD9TLRVgyrBxTZVsYgi+933PATIU/PhntH5q4wsH0TTxWnB
q418AtW36B4iatxKMMRPG9L7IHh6ZGp4gfxcmunG3G0CFynX9kh1uW+hMBP+5sM8
OR6PKNSPL9Fol8UN8PesEhgvhfWiRG4ZICHd6WI4ZGHqC4Lm5ndBu+2DH+ccoFFj
nl8z1f6yQ1mpCy2aUCTnyrCSOJvIvuAKiyUJPpzVxh/ISrfrWt7Yqx9kZ7fIEUHq
l1EESiuB1glkDfjSQ7x0mSv30rRTzEUerP+qpyK9zrp2C8JCSrJyd/KKaEEdZefw
JKLC55qbhC9h/JKOsswowMhzd+brb81Ew6gcvKphoJa55WH3sxtFHaFg2t6cgq1Y
INHzhIiKnNq01htGDlRtJH2Ox2+KhscEPeBXlVX4bSVigVy5nJ1RDHZpE6J1jL6Y
sy/novadV8MyOTUZOSqUeqEf2DJQdZ2aw0WrMPhJeDRhV32VUnbVo8RXoSp9VzsM
9GxgVB48+E3J2PXvBkOF
=Ajrp
-----END PGP SIGNATURE-----