[Bug 207911] kiconv reference count integer overflow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Mar 11 19:20:05 UTC 2016


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207911

            Bug ID: 207911
           Summary: kiconv reference count integer overflow
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: cturt at hardenedbsd.org

The `kiconv` module doesn't perform checks on the reference count of its
converter class before incrementing and decrementing it, sys/libkern/iconv.c:

static int
iconv_register_converter(struct iconv_converter_class *dcp)
{
        kobj_class_compile((struct kobj_class*)dcp);
        dcp->refs++;
        TAILQ_INSERT_TAIL(&iconv_converters, dcp, cc_link);
        return 0;
}

static int
iconv_unregister_converter(struct iconv_converter_class *dcp)
{
        dcp->refs--;
        if (dcp->refs > 1) {
                ICDEBUG("converter has %d references left\n", dcp->refs);
                return EBUSY;
        }
        TAILQ_REMOVE(&iconv_converters, dcp, cc_link);
        kobj_class_free((struct kobj_class*)dcp);
        return 0;
}

Since `refs` field is declared as `u_int`, if `iconv_register_converter` is
called enough times it will overflow from `UINT_MAX` to `0` and then be
incremented to `1`. Then when `iconv_unregister_converter` is called, the check
against `dcp->refs` will be bypassed and its converter class will then be freed
even though it still has references; leading to use after free behaviour.

This is mostly theoretical since it is unlikely to be possible to register this
many converter classes without encountering other issues, such as running out
of memory. In addition, the `iconv_register_converter` is only called on the
`MOD_LOAD` event, which is root only, so is unlikely to present a security
risk.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list