[Bug 207911] kiconv reference count integer overflow
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Mar 11 19:20:05 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207911
Bug ID: 207911
Summary: kiconv reference count integer overflow
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: cturt at hardenedbsd.org
The `kiconv` module doesn't perform checks on the reference count of its
converter class before incrementing and decrementing it, sys/libkern/iconv.c:
static int
iconv_register_converter(struct iconv_converter_class *dcp)
{
kobj_class_compile((struct kobj_class*)dcp);
dcp->refs++;
TAILQ_INSERT_TAIL(&iconv_converters, dcp, cc_link);
return 0;
}
static int
iconv_unregister_converter(struct iconv_converter_class *dcp)
{
dcp->refs--;
if (dcp->refs > 1) {
ICDEBUG("converter has %d references left\n", dcp->refs);
return EBUSY;
}
TAILQ_REMOVE(&iconv_converters, dcp, cc_link);
kobj_class_free((struct kobj_class*)dcp);
return 0;
}
Since `refs` field is declared as `u_int`, if `iconv_register_converter` is
called enough times it will overflow from `UINT_MAX` to `0` and then be
incremented to `1`. Then when `iconv_unregister_converter` is called, the check
against `dcp->refs` will be bypassed and its converter class will then be freed
even though it still has references; leading to use after free behaviour.
This is mostly theoretical since it is unlikely to be possible to register this
many converter classes without encountering other issues, such as running out
of memory. In addition, the `iconv_register_converter` is only called on the
`MOD_LOAD` event, which is root only, so is unlikely to present a security
risk.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list