[Bug 206581] bxe_ioctl_nvram handler is faulty

Sun Jan 24 16:31:44 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206581

            Bug ID: 206581
           Summary: bxe_ioctl_nvram handler is faulty
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ecturt at gmail.com

Take a look at the start of `bxe_ioctl_nvram` from `sys/dev/bxe/bxe.c`:

static int
bxe_ioctl_nvram(struct bxe_softc *sc,
                uint32_t         priv_op,
                struct ifreq     *ifr)
{
    struct bxe_nvram_data nvdata_base;
    struct bxe_nvram_data *nvdata;
    int len;
    int error = 0;

    copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base));

    len = (sizeof(struct bxe_nvram_data) +
           nvdata_base.len -
           sizeof(uint32_t));

    if (len > sizeof(struct bxe_nvram_data)) {
        if ((nvdata = (struct bxe_nvram_data *)
                 malloc(len, M_DEVBUF,
                        (M_NOWAIT | M_ZERO))) == NULL) {
            BLOGE(sc, "BXE_IOC_RD_NVRAM malloc failed\n");
            return (1);
        }
        memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));
    } else {
        nvdata = &nvdata_base;
    }

    ...
}

Firstly, the result from `copyin` isn't even checked here...

Secondly, no bound checks on user supplied `nvdata_base.len`, means we can get
`len` to overflow (since it is a `signed int`). For example, give an input
length of `0x80000000 + sizeof(uint32_t)) - (sizeof(struct bxe_nvram_data)` to
get an allocation of 0 bytes, and then boom, we have heap overflow straight
after:

    memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));

-- 
You are receiving this mail because:
You are the assignee for the bug.