git: 14ba78b3f877 - releng/12.2 - Fix remote code execution in ggatec(8).
Gordon Tetlow
gordon at FreeBSD.org
Tue Aug 24 18:29:36 UTC 2021
The branch releng/12.2 has been updated by gordon:
URL: https://cgit.FreeBSD.org/src/commit/?id=14ba78b3f877a3e48cbec029444fbb34c30f5a15
commit 14ba78b3f877a3e48cbec029444fbb34c30f5a15
Author: Gordon Tetlow <gordon at FreeBSD.org>
AuthorDate: 2021-08-24 17:40:19 +0000
Commit: Gordon Tetlow <gordon at FreeBSD.org>
CommitDate: 2021-08-24 17:40:19 +0000
Fix remote code execution in ggatec(8).
Approved by: so
Security: SA-21:14.ggatec
Security: CVE-2021-29630
---
sbin/ggate/ggatec/ggatec.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/sbin/ggate/ggatec/ggatec.c b/sbin/ggate/ggatec/ggatec.c
index a2aa49e2b362..deff5e3a756a 100644
--- a/sbin/ggate/ggatec/ggatec.c
+++ b/sbin/ggate/ggatec/ggatec.c
@@ -144,7 +144,21 @@ send_thread(void *arg __unused)
case BIO_WRITE:
hdr.gh_cmd = GGATE_CMD_WRITE;
break;
+ default:
+ g_gate_log(LOG_NOTICE, "Unknown gctl_cmd: %i", ggio.gctl_cmd);
+ ggio.gctl_error = EOPNOTSUPP;
+ g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
+ continue;
+ }
+
+ /* Don't send requests for more data than we can handle the response for! */
+ if (ggio.gctl_length > MAXPHYS) {
+ g_gate_log(LOG_ERR, "Request too big: %zd", ggio.gctl_length);
+ ggio.gctl_error = EOPNOTSUPP;
+ g_gate_ioctl(G_GATE_CMD_DONE, &ggio);
+ continue;
}
+
hdr.gh_seq = ggio.gctl_seq;
hdr.gh_offset = ggio.gctl_offset;
hdr.gh_length = ggio.gctl_length;
@@ -217,6 +231,12 @@ recv_thread(void *arg __unused)
ggio.gctl_length = hdr.gh_length;
ggio.gctl_error = hdr.gh_error;
+ /* Do not overflow our buffer if there is a bogus response. */
+ if (ggio.gctl_length > (off_t) sizeof(buf)) {
+ g_gate_log(LOG_ERR, "Received too big response: %zd", ggio.gctl_length);
+ break;
+ }
+
if (ggio.gctl_error == 0 && ggio.gctl_cmd == GGATE_CMD_READ) {
data = g_gate_recv(recvfd, ggio.gctl_data,
ggio.gctl_length, MSG_WAITALL);
More information about the dev-commits-src-all
mailing list