[Bug 206754] Out of bounds negative array index in iicrdwr
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Jan 30 09:33:55 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206754
Bug ID: 206754
Summary: Out of bounds negative array index in iicrdwr
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: cturt at hardenedbsd.org
`iicrdwr` in `/sys/dev/iicbus/iic.c` incorrectly handles iteration over buffer.
Firstly, no bound checks are supplied on the user controlled `d->nmsgs`.
This field is declared as type `uint32_t`, in `struct iic_rdwr_data`
(`sys/dev/iicbus/iic.h`):
struct iic_rdwr_data {
struct iic_msg *msgs;
uint32_t nmsgs;
};
However, the `i` variable in this function is declared as a `signed int`:
int error, i;
When `i` iterates over buffers, since it is `signed`, it can wrap around to a
negative value, for example here:
for (i = 0; i < d->nmsgs; i++) {
m = &(buf[i]);
usrbufs[i] = m->buf;
And here:
for (i = 0; i < d->nmsgs; i++) {
m = &(buf[i]);
if ((error == 0) && (m->flags & IIC_M_RD))
error = copyout(m->buf, usrbufs[i], m->len);
free(m->buf, M_IIC);
}
`i` will be converted to `unsigned` type for the conversion, however, will
still be `signed` when indexing `buf`. This would result in a read out of
bounds of the `buf` allocation.
This situation seems unlikely to be triggerable, because the code would wait
for `buf` allocation to succeed (`M_WAITOK`):
buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_IIC, M_WAITOK);
Which would be unlikely to succeed if `d->nmsgs` is something like
`0x80000001`.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list