[Bug 206573] Improper userland pointer handling in aacraid
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Jan 24 13:44:32 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206573
Bug ID: 206573
Summary: Improper userland pointer handling in aacraid
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: misc
Assignee: freebsd-bugs at FreeBSD.org
Reporter: ecturt at gmail.com
The `aac_ioctl_send_raw_srb` function can be reached by supplying the
`FSACTL_LNX_SEND_RAW_SRB` command to `aac_ioctl`. This code path dereferences a
user supplied pointer directly:
static int
aac_ioctl_send_raw_srb(struct aac_softc *sc, caddr_t arg)
{
struct aac_srb *user_srb = (struct aac_srb *)arg;
...
if ((error = copyin((void *)user_srb, srbcmd, fibsize) != 0))
goto out;
...
struct aac_sg_entry *sgp = srbcmd->sg_map.SgEntry;
...
srb_sg_bytecount = sgp->SgByteCount;
...
}
`srbcmd` has user controlled contents (after `copyin` from `user_srb`).
`sgp` is set to a user controlled address (`srbcmd->sg_map.SgEntry`).
`sgp` is then dereferenced numerous times (`sgp->SgByteCount`).
One impact of this improper handling is that `sgp` could be `NULL`, which would
result in a `NULL` dereference, and panic.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list