[Bug 206754] Out of bounds negative array index in iicrdwr

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Jan 30 09:33:55 UTC 2016


            Bug ID: 206754
           Summary: Out of bounds negative array index in iicrdwr
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

`iicrdwr` in `/sys/dev/iicbus/iic.c` incorrectly handles iteration over buffer.

Firstly, no bound checks are supplied on the user controlled `d->nmsgs`.

This field is declared as type `uint32_t`, in `struct iic_rdwr_data`

struct iic_rdwr_data {
        struct iic_msg *msgs;
        uint32_t nmsgs;

However, the `i` variable in this function is declared as a `signed int`:

int error, i;

When `i` iterates over buffers, since it is `signed`, it can wrap around to a
negative value, for example here:

        for (i = 0; i < d->nmsgs; i++) {
                m = &(buf[i]);
                usrbufs[i] = m->buf;

And here:

        for (i = 0; i < d->nmsgs; i++) {
                m = &(buf[i]);
                if ((error == 0) && (m->flags & IIC_M_RD))
                        error = copyout(m->buf, usrbufs[i], m->len);
                free(m->buf, M_IIC);

`i` will be converted to `unsigned` type for the conversion, however, will
still be `signed` when indexing `buf`. This would result in a read out of
bounds of the `buf` allocation.

This situation seems unlikely to be triggerable, because the code would wait
for `buf` allocation to succeed (`M_WAITOK`):

buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_IIC, M_WAITOK);

Which would be unlikely to succeed if `d->nmsgs` is something like

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list