[Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Feb 24 17:13:42 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207463
Bug ID: 207463
Summary: [patch]
stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETAD
DRS) buffer overflow
Product: Base System
Version: 10.3-BETA2
Hardware: Any
OS: Any
Status: New
Keywords: patch
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: paul at inetstat.net
CC: freebsd-stable at FreeBSD.org
Keywords: patch
Created attachment 167367
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167367&action=edit
stable/10/sys/netpfil/pf/pf_ioctl.c patch
While investigating bug #192677 (pfctl iotcl buffer to small for bigger spamd
blacklists) on releng/10.2, I believe I have spotted a kernel buffer overflow
in stable/10/sys/netpfil/pf/pf_ioctl.c / stable/10/sys/netpfil/pf/pf_table.c,
introduced by base r286862 / base r286961.
stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS):
totlen = io->pfrio_size * sizeof(struct pfr_addr);
pfras = malloc(totlen, M_TEMP, M_WAITOK);
stable/10/sys/netpfil/pf/pf_table.c:pfr_set_addrs():
bcopy(&ad, addr + size + i, sizeof(ad));
Inside pfr_set_addrs(), pfioctl()'s "pfras" becomes "addr", "io->pfrio_size"
becomes "size", and "io->pfrio_size2" becomes "size2". pfr_set_addrs() uses
size2 to protect the buffer just above that bcopy. Looking carefully at
stable/10/sys/sbin/pfctl/pfctl_table.c:pfctl_table("replace") and
stable/10/sys/sbin/pfctl/pfctl_radix.c:pfr_buf_grow(), io->pfrio_buffer passed
into the ioctl is size2.
This is theoretical, based on simulating the code mentally. I'm fairly certain
that my analysis is correct, but I've not verified it via compiled stable/10
code. The bcopy seems to fairly obviously run off the end of the buffer when
it is only "size". The fix should be quite simple, by just changing the buffer
to be "size2" in stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS):
totlen = io->pfrio_size2 * sizeof(struct pfr_addr);
Untested patch attached. I believe this applies to both stable/10 and head. I
have tagged it as 10.3-BETA, as that seems to be the places where the more
urgent attention is needed, as it would be quite unfortunate for 10.3 to be
released with this bug (if my analysis is correct).
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-stable
mailing list