From nobody Sat Oct 29 09:45:16 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MzvfP0xQRz4gbft for ; Sat, 29 Oct 2022 09:45:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MzvfN65Nbz3GJ2 for ; Sat, 29 Oct 2022 09:45:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MzvfN4rZdz1CPG for ; Sat, 29 Oct 2022 09:45:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29T9jG7L042562 for ; Sat, 29 Oct 2022 09:45:16 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29T9jGTV042561 for bugs@FreeBSD.org; Sat, 29 Oct 2022 09:45:16 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 267413] potential buffer overrun in netgraph's ng_encode_string() Date: Sat, 29 Oct 2022 09:45:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.mimetype attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1667036716; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QeDr3f4l6ywalGh3jmmkLbALph+NYLq3U5bptH9QSpI=; b=PVbi0bXXeLnNPY0eXff6cDv/QvWAJhwNz/PAtr5VHRsRW4F0UWI6jnwm63zvxTyi9u8rET 5pZ3/JVvKdtRDlUTRvil2/YJuaPL+0NaheFADh3nplU2D87MgpN1SyDSMvKqFbJ9RjpR8w pQWX11FSqVvr343fiz3mRgHvUBItH89FkytNdxQSaBm8R3HRAS7F4aMkKQRVloT9Kr+7AP tWxhzi6aMLITeZduGL/2C0s+OL3KDE4BRTw+d/IIp40AHzKMzsH1MgkVPS0YkqsbNu81mk qKCzfb8FgMOe8ZOIxAyClkq7JgOT0xQUScJL2YGCId2RVKv+YxynwrbWtZHjBw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1667036716; a=rsa-sha256; cv=none; b=KIi9Nk/V6nBe5FcEwPE3zozblb7I041DS20r0uOcDjDcoKKKGOSdZM0DCooGa8gmckQeGN +tS6v/1P1ca7m9wEfZTNRt6L7jOG4M6tPpDbqwMHwl4iW77p/UOYoGsiRIm1u71I5syXOf sNTdCkdYMcQ/+fQy13G1XYUZVTWWuu8sbCgF++GUaKGaLJt+ifjooOB/KhD9TOCGzsb4En F8ij1mmae0xEggqtxMUSkkZam5efuNgnAMq2pP32+72l8ucykL2td/9fMp5huuQoav29r4 ZycNOUMRZbW+3hTZWnxdlR1GksxkPB5hvGv18dufJJnTLxiy3Tq6sky25+F8mw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267413 Bug ID: 267413 Summary: potential buffer overrun in netgraph's ng_encode_string() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #237703 text/plain mime type: Created attachment 237703 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237703&action= =3Dedit demo program that overflows a buffer in ng_encode_string() ng_encode_string() allocates space based on strlen(raw), but the correct length of the input is the slen argument. strlen(raw) can be smaller than slen, which would cause ng_encode_string() to write off the end of the malloc()'d buffer. That is, in this code, I think strlen(raw) should be slen: cbuf =3D malloc(strlen(raw) * 4 + 3, M_NETGRAPH_PARSE, M_NOWAIT); for (i =3D 0; i < slen; i++, raw++) { Also, ng_sizedstring_unparse() appears to read slen out of the user-supplied data, without a sanity check, allowing ng_encode_string() to potentially read off the end of the input. I've attached a demo: # cc ng5a.c -lnetgraph # ./a.out panic: Duplicate free of 0xffffffd0020f6200 from zone 0xffffffc00340ca00(malloc-256) slab 0xffffffd0020f6fd8(2)=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 panic() at panic+0x2a uma_dbg_free() at uma_dbg_free+0xbe item_dtor() at item_dtor+0x46 uma_zfree_arg() at uma_zfree_arg+0x66 free() at free+0x7e ng_sizedstring_unparse() at ng_sizedstring_unparse+0x5c ng_unparse_composite() at ng_unparse_composite+0x24c ng_struct_unparse() at ng_struct_unparse+0xe ng_unparse() at ng_unparse+0x30 ng_generic_msg() at ng_generic_msg+0x938 ng_apply_item() at ng_apply_item+0xf6 ng_snd_item() at ng_snd_item+0x1bc ngc_send() at ngc_send+0x260 sosend_generic() at sosend_generic+0x384 sosend() at sosend+0x68 kern_sendit() at kern_sendit+0x170 sendit() at sendit+0x9c sys_sendto() at sys_sendto+0x40 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (133, FreeBSD ELF64, sys_sendto) --=20 You are receiving this mail because: You are the assignee for the bug.=