From nobody Tue May 23 20:26:15 2023
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QQm6w5JQMz4T1Hb
	for <bugs@mlmmj.nyi.freebsd.org>; Tue, 23 May 2023 20:26:16 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QQm6w0Txwz3tMj
	for <bugs@FreeBSD.org>; Tue, 23 May 2023 20:26:16 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1684873576;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=LBZ6ZJNat6JgEtyQJ3qnn0bxmlBOWt+un6j3+iAxMLc=;
	b=Y3ws+3/A4pLaUwzO4qHvXOENkSGAJhIcm8QA/h+WLreUZiqCJvm9w5Utq8t4CByOhAGEQg
	CffDNTwmyx2d9XZRw1SXRO9PcuvBK6x8/F3+C82NYrba2Q1uTVhiP1UPu0WmliKPn5IiRF
	SxzGUZRi+NDSx88xjcfC+xYLmw7ex4q3ltl6JYWUfI9Gzw+68ltg/TRJENRUezBx38C29w
	xUOUtyELgA4syk7CO3buszoOxrDLqeyhVFs4A8GTqcOKK2AnVAVQTmVaeznAzbco0u470j
	RgXiPDD42vKpK55jl7HtPA/vkvVnQsJFLCy1rcsdg62WVCclxMaKHkP47seAeQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1684873576; a=rsa-sha256; cv=none;
	b=TL0GowVr8iRpNi0IMNQjDpvhQFQTaI5LISU5vzWtbHYUU18ia0auXhfaOJzGvnX68LWluB
	+OuSrh0O7dmBSIfUPBPw+JwCcJj1jhLBu94zecjYGoMaBD5NLRNler4QXQU3OrIkzyidla
	TiPz1dsELGr2cORfGk3337jqdsvVy3FbqvPHzyNMLpUMlJNt7nYLOpoOU/+aBT5xmmt2Ly
	BMOyL6laHYuvQZfFsW0a3Wn1Ig0dP3vpKo0cfUcBxZNrzqPd4oU5Ak7DdMLhfe/R7NphMw
	Mn7pMZKn6JyinebNB8GjaNZPDeqa2/Vv0NfBLt4OyZxyLli1VbyKOoyaaBMInQ==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QQm6v1zgTzF0m
	for <bugs@FreeBSD.org>; Tue, 23 May 2023 20:26:15 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 34NKQFO8019595
	for <bugs@FreeBSD.org>; Tue, 23 May 2023 20:26:15 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 34NKQFg5019594
	for bugs@FreeBSD.org; Tue, 23 May 2023 20:26:15 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 207629] Integer overflow in sysctl_kern_proc_args
Date: Tue, 23 May 2023 20:26:15 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: markj@FreeBSD.org
X-Bugzilla-Status: Closed
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: resolution cc bug_status
Message-ID: <bug-207629-227-IbTYmjZVtR@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-207629-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-207629-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207629

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
                 CC|                            |markj@FreeBSD.org
             Status|New                         |Closed

--- Comment #2 from Mark Johnston <markj@FreeBSD.org> ---
Sorry that this didn't get attention when it was submitted.  I think this h=
as
since been fixed by commit 712dda7fb0b83, though it's possible that somethi=
ng
else mitigated it before that.

> There is another possibility though; if `req->newlen` is `-12`, the alloc=
ation will be 0, and the 2 writes in `pargs_alloc` will be out of bounds.

An allocation length of zero will return a chunk of 16 bytes, so I don't th=
ink
this could have resulted in an out-of-bounds write.

--=20
You are receiving this mail because:
You are the assignee for the bug.=