[Bug 206581] bxe_ioctl_nvram handler is faulty
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Jan 24 16:31:44 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206581
Bug ID: 206581
Summary: bxe_ioctl_nvram handler is faulty
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: ecturt at gmail.com
Take a look at the start of `bxe_ioctl_nvram` from `sys/dev/bxe/bxe.c`:
static int
bxe_ioctl_nvram(struct bxe_softc *sc,
uint32_t priv_op,
struct ifreq *ifr)
{
struct bxe_nvram_data nvdata_base;
struct bxe_nvram_data *nvdata;
int len;
int error = 0;
copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base));
len = (sizeof(struct bxe_nvram_data) +
nvdata_base.len -
sizeof(uint32_t));
if (len > sizeof(struct bxe_nvram_data)) {
if ((nvdata = (struct bxe_nvram_data *)
malloc(len, M_DEVBUF,
(M_NOWAIT | M_ZERO))) == NULL) {
BLOGE(sc, "BXE_IOC_RD_NVRAM malloc failed\n");
return (1);
}
memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));
} else {
nvdata = &nvdata_base;
}
...
}
Firstly, the result from `copyin` isn't even checked here...
Secondly, no bound checks on user supplied `nvdata_base.len`, means we can get
`len` to overflow (since it is a `signed int`). For example, give an input
length of `0x80000000 + sizeof(uint32_t)) - (sizeof(struct bxe_nvram_data)` to
get an allocation of 0 bytes, and then boom, we have heap overflow straight
after:
memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list