[Bug 267413] potential buffer overrun in netgraph's ng_encode_string()

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 29 Oct 2022 09:45:16 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267413

            Bug ID: 267413
           Summary: potential buffer overrun in netgraph's
                    ng_encode_string()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237703 text/plain
         mime type:

Created attachment 237703
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237703&action=edit
demo program that overflows a buffer in ng_encode_string()

ng_encode_string() allocates space based on strlen(raw), but the
correct length of the input is the slen argument. strlen(raw) can be
smaller than slen, which would cause ng_encode_string() to write off
the end of the malloc()'d buffer.

That is, in this code, I think strlen(raw) should be slen:

        cbuf = malloc(strlen(raw) * 4 + 3, M_NETGRAPH_PARSE, M_NOWAIT);
        for (i = 0; i < slen; i++, raw++) {

Also, ng_sizedstring_unparse() appears to read slen out of the
user-supplied data, without a sanity check, allowing ng_encode_string()
to potentially read off the end of the input.

I've attached a demo:

# cc ng5a.c -lnetgraph
# ./a.out
panic: Duplicate free of 0xffffffd0020f6200 from zone
0xffffffc00340ca00(malloc-256) slab 0xffffffd0020f6fd8(2)                       
panic() at panic+0x2a
uma_dbg_free() at uma_dbg_free+0xbe
item_dtor() at item_dtor+0x46
uma_zfree_arg() at uma_zfree_arg+0x66
free() at free+0x7e
ng_sizedstring_unparse() at ng_sizedstring_unparse+0x5c
ng_unparse_composite() at ng_unparse_composite+0x24c
ng_struct_unparse() at ng_struct_unparse+0xe
ng_unparse() at ng_unparse+0x30
ng_generic_msg() at ng_generic_msg+0x938
ng_apply_item() at ng_apply_item+0xf6
ng_snd_item() at ng_snd_item+0x1bc
ngc_send() at ngc_send+0x260
sosend_generic() at sosend_generic+0x384
sosend() at sosend+0x68
kern_sendit() at kern_sendit+0x170
sendit() at sendit+0x9c
sys_sendto() at sys_sendto+0x40
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (133, FreeBSD ELF64, sys_sendto)

-- 
You are receiving this mail because:
You are the assignee for the bug.