Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id lBCIdcHW011259; Wed, 12 Dec 2007 13:39:38 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lBCIdXB0007277; Wed, 12 Dec 2007 13:39:33 -0500 Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id lBCIdX1J007274 for ; Wed, 12 Dec 2007 13:39:33 -0500 Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id lBCIdW2F002190 for ; Wed, 12 Dec 2007 13:39:32 -0500 (EST) Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id lBCIdVTD008329 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Wed, 12 Dec 2007 13:39:32 -0500 (EST) Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id lBCIdVso019577; Wed, 12 Dec 2007 13:39:31 -0500 (EST) To: krb5-bugs@MIT.EDU Subject: freeing non-heap in gss_indicate_mechs() [CVE-2007-5901] From: Tom Yu Date: Wed, 12 Dec 2007 13:39:31 -0500 Message-ID: Lines: 41 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Scanned-BY: MIMEDefang 2.42 X-Spam-Flag: NO X-Spam-Score: 0.00 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU X-RT-Original-Encoding: us-ascii Content-Length: 2109 This is one of the Venustech AD-LAB alleged vulnerabilities. CVE-2007-5901 http://bugs.gentoo.org/show_bug.cgi?id=199214 This bug is consists of freeing a non-heap pointer, and is not a practical vulnerability due to the extreme difficulty of exploitation. In src/lib/gssapi/mechglue/g_initialize.c, the function gss_indicate_mechs() can make the call free(mechSet), which is erroneous because "mechSet" is a pointer to type "gss_OID_set" passed in by the caller of gss_indicate_mechs() and the dereferenced "*mechSet" is where the pointer to allocated memory is assigned. 201 /* still need to copy each of the oid elements arrays */ 202 for (i = 0; i < (*mechSet)->count; i++) { 203 curItem = &((*mechSet)->elements[i]); 204 curItem->elements = 205 (void *) malloc(g_mechSet.elements[i].length); 206 if (curItem->elements == NULL) { 207 (void) k5_mutex_unlock(&g_mechSetLock); 208 /* 209 * must still free the allocated elements for 210 * each allocated gss_OID_desc 211 */ 212 for (j = 0; j < i; j++) { 213 free((*mechSet)->elements[j].elements); 214 } 215 free((*mechSet)->elements); 216 free(mechSet); 217 *mechSet = NULL; 218 return (GSS_S_FAILURE); 219 } 220 g_OID_copy(curItem, &g_mechSet.elements[i]); 221 } If the allocation of (*mechSet)->elements fails, the erroneous call of free(mechSet) occurs, freeing a pointer which probably points into the stack frame of the caller. In order to successfully exploit this vulnerability, an attacker would have to cause a malloc() failure to occur at precisely the right time: almost immediately after a different malloc() call has succeeded.