Re: [oss-security] CVE Request: Denial-of-Service / Unexploitable Memory Corruption in mmap() on OpenBSD

[Matthew Mondor <mm_lists%pulsar-zone.net@localhost>]

On Wed, 3 Aug 2016 11:10:53 +0200
Thomas Klausner <wiz%NetBSD.org@localhost> wrote:

> OpenBSD had a problem in their VM implementation.
> Has anyone looked if there is a similar issue in NetBSD?

I didn't dare running the tests yet as I'd prefer not to have to reboot
immediately, but I did some check on NetBSD-7 (what I had here, and is
the stable release anyway, results to be compared with -current)...

We have a range_test() function which seems to do proper overflow
checking.  This function is used from the various syscalls.  There are
a few functions not using it, but they do not seem to be syscalls;
notably: uvm_mmap(), uvm_default_mapaddr(), uvm_mmap_dev(),
uvm_mmap_anon().

However, in the mmap syscall (sys_mmap()), this function is only called
if (flags & MAP_FIXED), it seems.  In this case,
p->p_emul->e_vm_default_addr() and (*fp->f_ops->fo_mmap)() are called
with the size parameter directly without explicit overflow checking
that I can detect, then finally uvm_mmap() (which also doesn't do an
explicit overflow check).

Have you had the opportunity to run the test code yet?

If we do touch the code, it might also be a good idea to fix
inconsistencies such as "sz" and "len" variables sometimes used instead
of "size", making such audits more hairy to do than necessary.

Thanks,
-- 
Matt