https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584
Bug ID: 206584
Summary: Possible integer overflow in update_intel
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ect...@gmail.com
Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`:
/*
* 16 byte alignment required. Rely on the fact that
* malloc(9) always returns the pointer aligned at least on
* the size of the allocation.
*/
ptr = malloc(args->size + 16, M_CPUCTL, M_WAITOK);
if (copyin(args->data, ptr, args->size) != 0) {
If `args->size` is user controlled, it could be prepared to overflow when
adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buffer
overflow from the `copyin` call.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
