[Bug 284991] buffer overflow in md_sii.c sii_meta_write()

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 23 Feb 2025 14:52:45 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284991

            Bug ID: 284991
           Summary: buffer overflow in md_sii.c sii_meta_write()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #257768 text/plain
         mime type:

Created attachment 257768
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=257768&action=edit
iscsi target that claims sector size is 3 bytes

During taste, it's possible for sii_meta_write() to execute:

        buf = malloc(pp->sectorsize, M_MD_SII, M_WAITOK | M_ZERO);
        memcpy(buf, meta, sizeof(*meta));

If a misbehaving device claims a sectorsize smaller than 512, the
memcpy will overflow the allocated buffer, since sizeof(*meta) is 512.

I've attached a demo in the form of a fake iscsi target that claims a
sector size of 3 at the decisive moment. On a kernel without INVARIANTS:

# uname -a
FreeBSD  15.0-CURRENT FreeBSD 15.0-CURRENT #490
main-n250999-c0872cef91fc-dirty: Sun Feb 23 08:34:01 EST 2025    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc iscsi38d.c
# ./a.out
...
REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xffffffd00cb81703
(3 bytes allocated).
Allocation backtrace:
#0 0xffffffc00078d614 at redzone_setup+0xa0
#1 0xffffffc0004136ae at malloc+0xba
#2 0xffffffc0003bf9e8 at sii_meta_write+0x5a
#3 0xffffffc0003be76e at g_raid_md_write_sii+0x2a4
#4 0xffffffc0003bf5a6 at g_raid_md_sii_start+0x3a8
#5 0xffffffc0003bd738 at g_raid_md_taste_sii+0x812
#6 0xffffffc00039e15e at $x+0x192
#7 0xffffffc000391488 at g_new_provider_event+0xa2
#8 0xffffffc00038c658 at g_run_events+0x120
#9 0xffffffc00038ebc0 at g_event_procbody+0x58
#10 0xffffffc0003f88dc at fork_exit+0x68
#11 0xffffffc0007efd7a at fork_trampoline+0xa
Free backtrace:
#0 0xffffffc00078d9de at redzone_check+0x344
#1 0xffffffc0004146fc at free_dbg+0x5c
#2 0xffffffc0004134c6 at free+0x1c
#3 0xffffffc0003bfac0 at sii_meta_write+0x132
#4 0xffffffc0003be76e at g_raid_md_write_sii+0x2a4
#5 0xffffffc0003bf5a6 at g_raid_md_sii_start+0x3a8
#6 0xffffffc0003bd738 at g_raid_md_taste_sii+0x812
#7 0xffffffc00039e15e at $x+0x192
#8 0xffffffc000391488 at g_new_provider_event+0xa2
#9 0xffffffc00038c658 at g_run_events+0x120
#10 0xffffffc00038ebc0 at g_event_procbody+0x58
#11 0xffffffc0003f88dc at fork_exit+0x68
#12 0xffffffc0007efd7a at fork_trampoline+0xa
panic: Stopping here.

On a kernel with INVARIANTS, it panics in g_io_request():

                KASSERT(bp->bio_offset % cp->provider->sectorsize == 0,      
                    ("wrong offset %jd for sectorsize %u",                    
                    bp->bio_offset, cp->provider->sectorsize));

-- 
You are receiving this mail because:
You are the assignee for the bug.