[Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Feb 24 17:13:42 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207463

            Bug ID: 207463
           Summary: [patch]
                    stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETAD
                    DRS) buffer overflow
           Product: Base System
           Version: 10.3-BETA2
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: paul at inetstat.net
                CC: freebsd-stable at FreeBSD.org
          Keywords: patch

Created attachment 167367
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167367&action=edit
stable/10/sys/netpfil/pf/pf_ioctl.c patch

While investigating bug #192677 (pfctl iotcl buffer to small for bigger spamd
blacklists) on releng/10.2, I believe I have spotted a kernel buffer overflow
in stable/10/sys/netpfil/pf/pf_ioctl.c / stable/10/sys/netpfil/pf/pf_table.c,
introduced by base r286862 / base r286961.

stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS):

        totlen = io->pfrio_size * sizeof(struct pfr_addr);
        pfras = malloc(totlen, M_TEMP, M_WAITOK);

stable/10/sys/netpfil/pf/pf_table.c:pfr_set_addrs():

        bcopy(&ad, addr + size + i, sizeof(ad));

Inside pfr_set_addrs(), pfioctl()'s "pfras" becomes "addr", "io->pfrio_size"
becomes "size", and "io->pfrio_size2" becomes "size2".  pfr_set_addrs() uses
size2 to protect the buffer just above that bcopy.  Looking carefully at
stable/10/sys/sbin/pfctl/pfctl_table.c:pfctl_table("replace") and
stable/10/sys/sbin/pfctl/pfctl_radix.c:pfr_buf_grow(), io->pfrio_buffer passed
into the ioctl is size2.

This is theoretical, based on simulating the code mentally.  I'm fairly certain
that my analysis is correct, but I've not verified it via compiled stable/10
code.  The bcopy seems to fairly obviously run off the end of the buffer when
it is only "size".  The fix should be quite simple, by just changing the buffer
to be "size2" in stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS):

        totlen = io->pfrio_size2 * sizeof(struct pfr_addr);

Untested patch attached.  I believe this applies to both stable/10 and head.  I
have tagged it as 10.3-BETA, as that seems to be the places where the more
urgent attention is needed, as it would be quite unfortunate for 10.3 to be
released with this bug (if my analysis is correct).

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list