[Bug 206584] Possible integer overflow in update_intel

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Jan 24 17:11:20 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584

            Bug ID: 206584
           Summary: Possible integer overflow in update_intel
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ecturt at gmail.com

Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`:

        /*
         * 16 byte alignment required.  Rely on the fact that
         * malloc(9) always returns the pointer aligned at least on
         * the size of the allocation.
         */
        ptr = malloc(args->size + 16, M_CPUCTL, M_WAITOK);
        if (copyin(args->data, ptr, args->size) != 0) {

If `args->size` is user controlled, it could be prepared to overflow when
adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buffer
overflow from the `copyin` call.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list