[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 266142] SNDSTIOC_ADD_USER_DEVS ioctl on /dev/sndstat passes unchecked size from user to malloc() -> potential crash"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 20 May 2024 14:19:22 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266142

--- Comment #3 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=074d337ad618f9cc2a1d5ab18b484928e57bd72b

commit 074d337ad618f9cc2a1d5ab18b484928e57bd72b
Author:     Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2024-05-20 14:18:28 +0000
Commit:     Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2024-05-20 14:18:28 +0000

    sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

    SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes,
    however we currently do not check whether this size is actually valid,
    which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an
    invalid size. sndstat_add_user_devs() calls
    sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size.

    PR:             266142
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 day
    Reviewed by:    brooks
    Differential Revision:  https://reviews.freebsd.org/D45236

 sys/dev/sound/pcm/sndstat.c | 5 +++++
 sys/sys/sndstat.h           | 5 +++++
 2 files changed, 10 insertions(+)

-- 
You are receiving this mail because:
You are the assignee for the bug.