[Bug 206584] Possible integer overflow in update_intel
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Jan 24 17:11:20 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584
Bug ID: 206584
Summary: Possible integer overflow in update_intel
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: ecturt at gmail.com
Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`:
/*
* 16 byte alignment required. Rely on the fact that
* malloc(9) always returns the pointer aligned at least on
* the size of the allocation.
*/
ptr = malloc(args->size + 16, M_CPUCTL, M_WAITOK);
if (copyin(args->data, ptr, args->size) != 0) {
If `args->size` is user controlled, it could be prepared to overflow when
adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buffer
overflow from the `copyin` call.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list