[Bug 206573] Improper userland pointer handling in aacraid

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jan 24 13:44:32 UTC 2016


            Bug ID: 206573
           Summary: Improper userland pointer handling in aacraid
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: misc
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ecturt at gmail.com

The `aac_ioctl_send_raw_srb` function can be reached by supplying the
`FSACTL_LNX_SEND_RAW_SRB` command to `aac_ioctl`. This code path dereferences a
user supplied pointer directly:

static int
aac_ioctl_send_raw_srb(struct aac_softc *sc, caddr_t arg)
        struct aac_srb *user_srb = (struct aac_srb *)arg;


        if ((error = copyin((void *)user_srb, srbcmd, fibsize) != 0)) 
                goto out;


        struct aac_sg_entry *sgp = srbcmd->sg_map.SgEntry;


        srb_sg_bytecount = sgp->SgByteCount;


`srbcmd` has user controlled contents (after `copyin` from `user_srb`).

`sgp` is set to a user controlled address (`srbcmd->sg_map.SgEntry`).

`sgp` is then dereferenced numerous times (`sgp->SgByteCount`).

One impact of this improper handling is that `sgp` could be `NULL`, which would
result in a `NULL` dereference, and panic.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list