[Bug 207627] Negative array index in ctl.c

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Mar 1 21:11:42 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207627

            Bug ID: 207627
           Summary: Negative array index in ctl.c
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

`struct ctl_be_arg` from `sys/cam/ctl/ctl_ioctl.h` declares its sizes as
`signed` integers:

struct ctl_be_arg {
        int     namelen;
        char    *name;
        int     flags;
        int     vallen;
        void    *value;

        char    *kname;
        void    *kvalue;
};

`ctl_copyin_args` from `sys/cam/ctl/ctl.c` copies these values directly from
userland with no bound checks, and then goes on to use them in array indexes:

static struct ctl_be_arg *
ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
                char *error_str, size_t error_str_len)
{
        struct ctl_be_arg *args;
        int i;

        args = ctl_copyin_alloc(uargs, num_args * sizeof(*args),
                                error_str, error_str_len);

        ...

        for (i = 0; i < num_args; i++) {
                uint8_t *tmpptr;

                args[i].kname = ctl_copyin_alloc(args[i].name,
                        args[i].namelen, error_str, error_str_len);
                ...
                if (args[i].kname[args[i].namelen - 1] != '\0') {
                ...
                if (args[i].flags & CTL_BEARG_RD) {
                        ...
                         && (tmpptr[args[i].vallen - 1] != '\0')) {

For example, if a `args[i].namelen` of 0 is supplied, a read will be performed
from `args[i].kname[-1]`. Similarly for `tmpptr` and `vallen`.

This range could be extended by supplying negative lengths, however this would
be less likely to be triggerable since the size is converted to `unsigned` for
the allocation and so an allocation of at least 4GB would need to succeed
first.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list