[Bug 206581] bxe_ioctl_nvram handler is faulty

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jan 24 16:31:44 UTC 2016


            Bug ID: 206581
           Summary: bxe_ioctl_nvram handler is faulty
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ecturt at gmail.com

Take a look at the start of `bxe_ioctl_nvram` from `sys/dev/bxe/bxe.c`:

static int
bxe_ioctl_nvram(struct bxe_softc *sc,
                uint32_t         priv_op,
                struct ifreq     *ifr)
    struct bxe_nvram_data nvdata_base;
    struct bxe_nvram_data *nvdata;
    int len;
    int error = 0;

    copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base));

    len = (sizeof(struct bxe_nvram_data) +
           nvdata_base.len -

    if (len > sizeof(struct bxe_nvram_data)) {
        if ((nvdata = (struct bxe_nvram_data *)
                 malloc(len, M_DEVBUF,
                        (M_NOWAIT | M_ZERO))) == NULL) {
            BLOGE(sc, "BXE_IOC_RD_NVRAM malloc failed\n");
            return (1);
        memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));
    } else {
        nvdata = &nvdata_base;


Firstly, the result from `copyin` isn't even checked here...

Secondly, no bound checks on user supplied `nvdata_base.len`, means we can get
`len` to overflow (since it is a `signed int`). For example, give an input
length of `0x80000000 + sizeof(uint32_t)) - (sizeof(struct bxe_nvram_data)` to
get an allocation of 0 bytes, and then boom, we have heap overflow straight

    memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list