https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207627
Bug ID: 207627
Summary: Negative array index in ctl.c
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ct...@hardenedbsd.org
`struct ctl_be_arg` from `sys/cam/ctl/ctl_ioctl.h` declares its sizes as
`signed` integers:
struct ctl_be_arg {
int namelen;
char *name;
int flags;
int vallen;
void *value;
char *kname;
void *kvalue;
};
`ctl_copyin_args` from `sys/cam/ctl/ctl.c` copies these values directly from
userland with no bound checks, and then goes on to use them in array indexes:
static struct ctl_be_arg *
ctl_copyin_args(int num_args, struct ctl_be_arg *uargs,
char *error_str, size_t error_str_len)
{
struct ctl_be_arg *args;
int i;
args = ctl_copyin_alloc(uargs, num_args * sizeof(*args),
error_str, error_str_len);
...
for (i = 0; i < num_args; i++) {
uint8_t *tmpptr;
args[i].kname = ctl_copyin_alloc(args[i].name,
args[i].namelen, error_str, error_str_len);
...
if (args[i].kname[args[i].namelen - 1] != '\0') {
...
if (args[i].flags & CTL_BEARG_RD) {
...
&& (tmpptr[args[i].vallen - 1] != '\0')) {
For example, if a `args[i].namelen` of 0 is supplied, a read will be performed
from `args[i].kname[-1]`. Similarly for `tmpptr` and `vallen`.
This range could be extended by supplying negative lengths, however this would
be less likely to be triggerable since the size is converted to `unsigned` for
the allocation and so an allocation of at least 4GB would need to succeed
first.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
