https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204097
Bug ID: 204097 Summary: witness_initialize() does not perform bound checking of witness_count Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ertl.ch...@gmail.com The witness_count sysctl node is of type CTLFLAG_RDTUN, which means it's a read-only variable, but can be set during boot by creating a "debug.witness.count" entry in /boot/loader.conf. The witness_initialize() function of sys/kern/subr_witness.c does not perform bound checks on witness_count which could lead to integer overflows, and memory corruption. The following line from witness_initialize() can cause an overflow, if witness_count is 2147483647 for example, since a signed comparison is used: for (i = 0; i < witness_count + 1; i++) { This means that the w_rmatrix[i] buffers are never allocated, which would lead to kernel reads and writes from an uninitialized pointer. A potential fix would be to add the following bound check at the beginning of the function: if (witness_count < 0 || witness_count >= 2147483647) { printf("Invalid witness_count value of %d, setting to 2147483646\n", witness_count); witness_count = 2147483646; } -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"