From nobody Wed Aug 31 08:43:47 2022
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MHd4g3sQDz4bdgG
	for <bugs@mlmmj.nyi.freebsd.org>; Wed, 31 Aug 2022 08:43:47 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MHd4g1tfkz3rBF
	for <bugs@FreeBSD.org>; Wed, 31 Aug 2022 08:43:47 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MHd4g0xhkz14B8
	for <bugs@FreeBSD.org>; Wed, 31 Aug 2022 08:43:47 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 27V8hlI9013043
	for <bugs@FreeBSD.org>; Wed, 31 Aug 2022 08:43:47 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 27V8hlmM013042
	for bugs@FreeBSD.org; Wed, 31 Aug 2022 08:43:47 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 266124] SIOCSTAT1 on /dev/ipstate causes a kernel stack buffer
 overflow
Date: Wed, 31 Aug 2022 08:43:47 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-266124-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1661935427;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=7flAXzd2nd2ccpBzNoobh24WxK+2K3mz5C5XI0+V8TQ=;
	b=BDIjZx0ZtbGb/h7RrgqWMVysGJYToR6b65hKCWs5iSA9tTwKsYHQqdIgtMP6175lAcU8tJ
	J0CE4O+RASGjaNT2m9VkJtS3veE5rWl37GH4itqjzg7J3GvTDsckmpq898ewa9Jeg8dGAq
	Vr0GB+16fvSNy2lx+O/I29erdGWGiZSl6p5jVUQsSoFies0mB2WHw1RTpJKG4v1Tjat6ac
	v792lkU6A5D7KxVkBLxGF5ig8If8KirRhkR2FxJ1g42+OQARl9Ouoxbu3Ie5TEyNK1xFtQ
	KNVI0ui4rTAdKMQtpAX/TzgjdDOJSg9o6sP8mfwEqTXLYLFi1+dYcr8LFY9EXQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661935427; a=rsa-sha256; cv=none;
	b=vWGqfDRfvvpPtjk/KvZymUa6iiJ6KXaG6ATq3BhhseojwvCGOpba7dSZREx/+y78TDLNZB
	rn/qTevYWzl4+3Qu0VoW5AoTmme/2rJbB04+Bb6ZQNZTUp/0Ln05xZNf1pc/OjrPHGLYW7
	2tFGhU9i8FIHdNGXCpY4nOxYzSARYEvuwer4v9Lb+aSWrm3tlq73GQNQO4/UNSzaY39oS7
	2tqF9HxY8vHLziDW7vkSihm3Gd9i/JlAJ6vFTqFuiLjvOph+D5bjO97Z/eiat2GJbPqbeX
	Gl8nLryJw32vUxmNHRXf+RkkvHpvcLU4uuih6/Zly3ilBZE0JU8nYDbCEiV5pA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266124

            Bug ID: 266124
           Summary: SIOCSTAT1 on /dev/ipstate causes a kernel stack buffer
                    overflow
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

netpfil/ipfilter/netinet/ip_fil.h says:

#define SIOCSTAT1       _IOWR('r', 78, struct ipfobj)

sizeof(struct ipfobj) is 56, and sys_ioctl() allocates space for the
input and return data on its stack (in smalldata[128]).

netpfil/ipfilter/netinet/ip_state.c says:

        /*
         * Return a copy of the hash table bucket lengths
         */
        case SIOCSTAT1 :
                error =3D BCOPYOUT(softs->ipf_state_stats.iss_bucketlen, da=
ta,
                                 softs->ipf_state_size * sizeof(u_int));

But the amount copied here is much larger than 56 (it's 22948 bytes
when I try it).

A demo:

int main() {
  int fd =3D open("/dev/ipstate", 2);
  if(fd < 0) { perror("/dev/ipstate"); exit(1); }
  char buf[128];
  memset(buf, 0, sizeof(buf));
  ioctl(fd, 0xc038724e, buf); // SIOCSTAT1
}

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #40 main-n250928-b8170f38ccc7-di=
rty:
Mon Aug 29 13:09:55 EDT 2022=20=20=20=20
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc x.c
# ./a.out
panic: vm_fault_lookup: fault on nofault entry, addr: 0xffffffc0035f5000
panic() at panic+0x2a
vm_fault_lookup() at vm_fault_lookup+0x1bc
vm_fault() at vm_fault+0x9c
vm_fault_trap() at vm_fault_trap+0x66
page_fault_handler() at page_fault_handler+0x17a
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 15, tval =3D 0xffffffc0035f5000
memcpy() at memcpy+0xf8
ipf_state_ioctl() at ipf_state_ioctl+0x1be
ipf_ioctlswitch() at ipf_ioctlswitch+0xb2
ipfioctl() at ipfioctl+0x224
devfs_ioctl() at devfs_ioctl+0xbe
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x30
VOP_IOCTL() at VOP_IOCTL+0x36
vn_ioctl() at vn_ioctl+0xba
devfs_ioctl_f() at devfs_ioctl_f+0x20
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120

--=20
You are receiving this mail because:
You are the assignee for the bug.=