svn commit: r344305 - head/sys/geom
Mark Johnston
markj at FreeBSD.org
Tue Feb 19 21:22:23 UTC 2019
Author: markj
Date: Tue Feb 19 21:22:22 2019
New Revision: 344305
URL: https://svnweb.freebsd.org/changeset/base/344305
Log:
Impose a limit on the number of GEOM_CTL arguments.
Otherwise a privileged user can trigger a memory allocation of
unbounded size, or an integer overflow in the subsequent
geom_alloc_copyin() call, leading to out-of-bounds accesses.
Hard-code a large limit to circumvent this problem.
admbug: 854
Reported by: Anonymous of the Shellphish Grill Team
Reviewed by: ae
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D19251
Modified:
head/sys/geom/geom_ctl.c
Modified: head/sys/geom/geom_ctl.c
==============================================================================
--- head/sys/geom/geom_ctl.c Tue Feb 19 21:20:50 2019 (r344304)
+++ head/sys/geom/geom_ctl.c Tue Feb 19 21:22:22 2019 (r344305)
@@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req)
char *p;
u_int i;
+ if (req->narg > 2048) {
+ gctl_error(req, "too many arguments");
+ req->arg = NULL;
+ return;
+ }
+
ap = geom_alloc_copyin(req, req->arg, req->narg * sizeof(*ap));
if (ap == NULL) {
gctl_error(req, "bad control request");
More information about the svn-src-all
mailing list