[Bug 254964] Integer overflow in ffs_setextattr() could lead to a kernel heap overflow
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Apr 10 22:05:22 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254964
Bug ID: 254964
Summary: Integer overflow in ffs_setextattr() could lead to a
kernel heap overflow
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: cutesmilee.research at protonmail.com
ffs_setextattr() is used to set a named attribute to an ffs vfs.
the problem is that it takes some user controlled data, the interesting ones
are: ap->a_name (arbitrary user string, not checked), and ip->i_ea_len
(unsigned int), which also isn't checked.
the function uses ip->i_ea_len + ealength (which is 7 + strlen(ap->a_name)) for
allocating a buffer, after that user-controlled data are copied to the buffer
using ip->i_ea_len.
providing an INT_MAX ip->i_ea_len + 2^32 + 2 long string will cause an integer
overflow, and the buffer in the heap will be 1 byte, but the bcopy will copy
2^32 bytes to the buffer.
this should be reachable from an unprivileged user (since extattr_check_cred()
doesn't require root if the attrnamespace is set to EXTATTR_NAMESPACE_USER),
but seems to be difficult to exploit, since you'd need 4GBs of ram (for the
long string) just to perform the 2^32 heap overflow, an exploitable overflow
will probably take even more memory.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list