[Bug 206551] Heap overflow in iconv kernel module
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206551 --- Comment #2 from CTurt --- It's worth noting that the minimum size which can be passed for a signed 32bit integer is `-0x7fff`, which wraps around to `0x8001`. If on FreeBSD 9, when this size goes through `malloc` it will eventually be passed down to `uma_large_malloc`, which treats size as `vm_size_t`, a typedef for a 32bit unsigned integer, this means the size will truncate to `0x8001` (just over 2GB). An allocation of 2GB is much more likely to succeed. And once it has succeeded, `copyin` will attempt to copy `0x8001` bytes from userland into this allocation, which will clearly result in a heap overflow. The size of this heap overflow could be controlled by unmapping the page after the userland mapping, resulting in the function returning `EFAULT` once it has reached the end of the userland mapping. With a heap overflow of controllable size and contents, this bug shouldn't be difficult to exploit. I've demonstrated a similar exploit for PS4 kernel using `kevent` for heap layout manipulation primitives. Fortunately, for later versions of FreeBSD, the inner calls of `malloc` correctly handle `size` as 64bit types, which means the worst that can happen is the thread locking up whilst trying to allocate `0x8001` bytes (because `M_WAITOK` is passed). -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206516] [patch] Teach ofw_bus_parse_xref_list_alloc to be able to return the length of the parsed list
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206516 --- Comment #1 from Stanislav Galabov --- This bug is now followed at: https://reviews.freebsd.org/D5043 Will continue work there. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206536] Warnings during buildworld possibly affecting build of up-to-date make
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206536 --- Comment #2 from Dave Evans --- The host I was building on was FreeBSD 11.0-CURRENT #3 r294529 amd64 which I built about 3 days ago. The target I was building for was stable/9 i386 svn info reports in my src directory: Revision: 294529 Last Changed Rev: 294457 Last Changed Date: 2016-01-20 19:56:43 + (Wed, 20 Jan 2016) I also tried an amd64 build with the same results. This is the one I reported about. The i386 build has successfully completed. I stopped the amd64 build after a couple of minutes once it had logged the warnings. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206551] Heap overflow in iconv kernel module
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206551 Kubilay Kocak changed: What|Removed |Added Keywords||needs-patch, needs-qa, ||security Flags||mfc-stable9? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206551] Heap overflow in iconv kernel module
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206551 --- Comment #3 from CTurt --- In the disassembly of `libiconv.so`, the check is performed on an `unsigned int` for some reason: unsigned int v24; ... && v24 <= 0x41000 I'm not sure why this is, considering the type of `ia_data` is `int`, which should imply `signed` by default. However, this means that it's not actually triggerable; `EINVAL` is returned for an `ia_data` of `-1`. I've tested on FreeBSD 9.0, and 10.2 -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206528] Emulex LPe 16002 FC HBA Not Recognized by oce(4) driver
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206528 Olli Hauer changed: What|Removed |Added CC||oha...@freebsd.org --- Comment #1 from Olli Hauer --- Hm, looking man(4) oce there is a hint to address such issues to emulex. I was myself looking the last days for an LPe12000 (FC) driver (no luck) but there is one for the LPe16000 on the emulex site http://www.emulex.com/downloads/emulex/drivers/freebsd/freebsd-10/drivers/ -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206528] Emulex LPe 16002 FC HBA Not Recognized by oce(4) driver
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206528 --- Comment #2 from Ron --- I looked there before opening the case, for me I just see this under download: "Ethernet Driver - Use inbox driver" -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206567] [msk] msk0: watchdog timeout - 88E8053 on i386
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206567 Bug ID: 206567 Summary: [msk] msk0: watchdog timeout - 88E8053 on i386 Product: Base System Version: 9.3-STABLE Hardware: i386 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: bugs.freebsd@cmb.ch CC: freebsd-i...@freebsd.org CC: freebsd-i...@freebsd.org On my MacMini (Late 2006, Macmini1,1, MA607*/A), the msk0 interface shows usually this: Jan 1 22:29:17 beastli kernel: msk0: watchdog timeout Jan 1 22:29:17 beastli kernel: msk0: link state changed to DOWN Jan 1 22:29:20 beastli kernel: msk0: link state changed to UP and thereafter the interface won't transport any data anymore. Only a reboot helps. This is since 9.2 (for over a year). I have looked at patches found in this bug forum but it didn't help. This happens when quite some traffic goes oer the interface, I presume. It happens either once a week or every 30 minutes... Anything I can switch on/off to configure? Or anything I can do to circumvent the reboot? (as kernel module could be a way) as read in #150257 ? Thanks Christian Platform info: PF firewall confugured FreeBSD 9.3-RELEASE-p33 #0: Thu Jan 14 00:48:15 UTC 2016 mskc0: mem 0x9020-0x90203fff irq 16 at device 0.0 on pci1 msk0: on mskc0 msk0: Ethernet address: 00:16:xx:yy:aa:qq miibus0: on msk0 e1000phy0: PHY 0 on miibus0 e1000phy0: none, 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-master, 1000baseT-FDX, 1000baseT-FDX-master, auto, auto-flow root@beastli:~ # pciconf -lbceVv @pci0:1:0:0: mskc0@pci0:1:0:0: class=0x02 card=0x532111ab chip=0x436211ab rev=0x22 hdr=0x00 vendor = 'Marvell Technology Group Ltd.' device = '88E8053 PCI-E Gigabit Ethernet Controller' class = network subclass = ethernet bar [10] = type Memory, range 64, base 0x9020, size 16384, enabled bar [18] = type I/O Port, range 32, base 0x1000, size 256, disabled cap 01[48] = powerspec 2 supports D0 D1 D2 D3 current D0 cap 03[50] = VPD cap 05[5c] = MSI supports 2 messages, 64 bit enabled with 1 message cap 10[e0] = PCI-Express 1 legacy endpoint max data 128(128) link x1(x1) speed 2.5(2.5) ASPM disabled(L0s) ecap 0001[100] = AER 1 0 fatal 0 non-fatal 1 corrected PCI-e errors = Correctable Error Detected Non-Fatal Error Detected Unsupported Request Detected Corrected = Receiver Error VPD ident = 'Marvell Yukon 88E8053 Gigabit Ethernet Controller' VPD ro PN = 'Yukon 88E8053' VPD ro EC = 'Rev. 2.2' VPD ro MN = 'Marvell' VPD ro SN = 'AbCdEfG334455' VPD ro CP = ID 01 in map 0x50[0x3cc] VPD rw VE = '00' -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206573] Improper userland pointer handling in aacraid
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206573
Bug ID: 206573
Summary: Improper userland pointer handling in aacraid
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: misc
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ect...@gmail.com
The `aac_ioctl_send_raw_srb` function can be reached by supplying the
`FSACTL_LNX_SEND_RAW_SRB` command to `aac_ioctl`. This code path dereferences a
user supplied pointer directly:
static int
aac_ioctl_send_raw_srb(struct aac_softc *sc, caddr_t arg)
{
struct aac_srb *user_srb = (struct aac_srb *)arg;
...
if ((error = copyin((void *)user_srb, srbcmd, fibsize) != 0))
goto out;
...
struct aac_sg_entry *sgp = srbcmd->sg_map.SgEntry;
...
srb_sg_bytecount = sgp->SgByteCount;
...
}
`srbcmd` has user controlled contents (after `copyin` from `user_srb`).
`sgp` is set to a user controlled address (`srbcmd->sg_map.SgEntry`).
`sgp` is then dereferenced numerous times (`sgp->SgByteCount`).
One impact of this improper handling is that `sgp` could be `NULL`, which would
result in a `NULL` dereference, and panic.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206573] Improper userland pointer handling in aacraid
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206573 --- Comment #1 from CTurt --- I've committed a patch to HardenedBSD: https://github.com/HardenedBSD/hardenedBSD-playground/commit/48d6f11271b93a265184de813e32dba8f5cf76f9 -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206573] Improper userland pointer handling in aacraid
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206573 Kubilay Kocak changed: What|Removed |Added Keywords||needs-qa, patch URL||https://github.com/Hardened ||BSD/hardenedBSD-playground/ ||commit/48d6f11271b93a265184 ||de813e32dba8f5cf76f9 -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206579] Multiple vulnerabilities in AMR ioctl handler
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206579
Bug ID: 206579
Summary: Multiple vulnerabilities in AMR ioctl handler
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ect...@gmail.com
The `amr_ioctl` handler contains userland dereferences, and no bound checks on
user supplied sizes.
The only time where the `addr` is correctly accessed by `copyin` is in the
Linux emulation commands, like `0xc06e6d00`:
error = copyin(addr, &ali, sizeof(ali));
The rest of the commands use a union called `arg` is setup to make incorrectly
dealing with `addr` easier:
union {
void*_p;
struct amr_user_ioctl *au;
#ifdef AMR_IO_COMMAND32
struct amr_user_ioctl32 *au32;
#endif
int *result;
} arg;
...
arg._p = (void *)addr;
The most serious issue is the `AMR_IO_VERSION` command, writing its output
directly without using `copyout`:
case AMR_IO_VERSION:
debug(1, "AMR_IO_VERSION");
*arg.result = AMR_IO_VERSION_NUMBER;
return(0);
The address of this write is completely user controlled, and can be used to
write arbitrary kernel memory.
Another issue stems from supplying the `AMR_IO_COMMAND` command. A user
supplied size will be fetched (without `copyin`):
au_length = arg.au->au_length;
Which is then used by `malloc` and `copyin` without any boundary checks:
/* handle inbound data buffer */
real_length = amr_ioctl_buffer_length(au_length);
dp = malloc(real_length, M_AMR, M_WAITOK|M_ZERO);
if (au_length != 0 && au_cmd[0] != 0x06) {
if ((error = copyin(au_buffer, dp, au_length)) != 0) {
free(dp, M_AMR);
return (error);
}
debug(2, "copyin %ld bytes from %p -> %p", au_length, au_buffer, dp);
}
On FreeBSD 9, we could abuse the 32bit size truncation in `uma_large_malloc` to
get a heap overflow from this. On later versions, allocating large sizes can
probably only be used to DoS the system.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206528] Emulex LPe 16002 FC HBA Not Recognized by oce(4) driver
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206528 --- Comment #3 from Olli Hauer --- Hi Ron, you are right no download for 10.x, but there is a driver for 9.3 in the old pkg format. I'm not sure if it will work on 10.x and for FC but maybe give it a try. Perhaps Koobs or another Bugzilla admin can add the Emulex contact email address freebsd-driv...@emulex.com to the PR (does not exist until now so I cannot add the address to the CC list) -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206579] Multiple vulnerabilities in AMR ioctl handler
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206579 --- Comment #1 from CTurt --- Forgot to mention, the file is `sys/dev/amr/amr.c`. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206528] Emulex LPe 16002 FC HBA Not Recognized by oce(4) driver
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206528 --- Comment #4 from Ron --- I will give it a shot shortly, last time I tried this I had failures due to the change from gcc to clang. Will report back shortly. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206528] Emulex LPe 16002 FC HBA Not Recognized by oce(4) driver
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206528 --- Comment #5 from Olli Hauer --- I forgot the change from gcc to clang already. oce.ko is a static module, and even it works I wouldn't trust in production without a vendor statement. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206581] bxe_ioctl_nvram handler is faulty
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206581
Bug ID: 206581
Summary: bxe_ioctl_nvram handler is faulty
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ect...@gmail.com
Take a look at the start of `bxe_ioctl_nvram` from `sys/dev/bxe/bxe.c`:
static int
bxe_ioctl_nvram(struct bxe_softc *sc,
uint32_t priv_op,
struct ifreq *ifr)
{
struct bxe_nvram_data nvdata_base;
struct bxe_nvram_data *nvdata;
int len;
int error = 0;
copyin(ifr->ifr_data, &nvdata_base, sizeof(nvdata_base));
len = (sizeof(struct bxe_nvram_data) +
nvdata_base.len -
sizeof(uint32_t));
if (len > sizeof(struct bxe_nvram_data)) {
if ((nvdata = (struct bxe_nvram_data *)
malloc(len, M_DEVBUF,
(M_NOWAIT | M_ZERO))) == NULL) {
BLOGE(sc, "BXE_IOC_RD_NVRAM malloc failed\n");
return (1);
}
memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));
} else {
nvdata = &nvdata_base;
}
...
}
Firstly, the result from `copyin` isn't even checked here...
Secondly, no bound checks on user supplied `nvdata_base.len`, means we can get
`len` to overflow (since it is a `signed int`). For example, give an input
length of `0x8000 + sizeof(uint32_t)) - (sizeof(struct bxe_nvram_data)` to
get an allocation of 0 bytes, and then boom, we have heap overflow straight
after:
memcpy(nvdata, &nvdata_base, sizeof(struct bxe_nvram_data));
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206528] Emulex LPe 16002 FC HBA Not Recognized by oce(4) driver
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206528 Kubilay Kocak changed: What|Removed |Added Status|New |Open --- Comment #6 from Kubilay Kocak --- (In reply to Olli Hauer from comment #3) I don't think it's appropriate to create user accounts (to be CC'd on things) without asking, but if you could send them an email to create an account that would be great :) -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206581] bxe_ioctl_nvram handler is faulty
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206581
--- Comment #1 from CTurt ---
Sorry, forgot about the check:
if (len > sizeof(struct bxe_nvram_data)) {
So, the example I suggested wouldn't work.
But the lack of `copyin` being checked, is still valid. And there probably
should be some bound checks anyway.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206583] Unable to load ip_mroute kernel module if VIMAGE is enabled in kernel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206583 Bug ID: 206583 Summary: Unable to load ip_mroute kernel module if VIMAGE is enabled in kernel Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: woods...@gmail.com When running a kernel with VIMAGE support, loading the ip_mroute kernel module will fail. % sudo kldload -v ip_mroute kldload: an error occurred while loading the module. Please check dmesg(8) for more details. % dmesg linker_load_file: Unsupported file type % uname -a FreeBSD sparticus.woods.am 11.0-CURRENT FreeBSD 11.0-CURRENT #1 r294463: Sun Jan 24 17:17:25 CET 2016 r...@freenas.woods.am:/usr/obj/usr/src/sys/GENERIC-NODEBUG-VIMAGE amd64 If I recompile the kernel with the same sources, with the only change being to disable VIMAGE (in this case using the GENERIC-NODEBUG kernel), then after reboot I am able to load the ip_mroute kernel option successfully. Expected result: ip_mroute kernel module should be able to load regardless of whether VIMAGE support is enabled in the kernel or not. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206581] bxe_ioctl_nvram handler is faulty
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206581 Kubilay Kocak changed: What|Removed |Added Priority|--- |Normal Status|New |Open Keywords||needs-patch, needs-qa, ||security Flags||mfc-stable9?, mfc-stable10? --- Comment #2 from Kubilay Kocak --- Thanks for your submission CTurt. Please feel to to attach a proposed change to resolve -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206579] arm(4): Multiple vulnerabilities in AMR ioctl handler
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206579 Kubilay Kocak changed: What|Removed |Added Severity|Affects Only Me |Affects Some People Summary|Multiple vulnerabilities in |arm(4): Multiple |AMR ioctl handler |vulnerabilities in AMR ||ioctl handler Keywords||needs-patch, needs-qa, ||security Priority|--- |Normal Flags||mfc-stable9?, mfc-stable10? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206551] Heap overflow in iconv kernel module
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206551 Kubilay Kocak changed: What|Removed |Added Status|New |Open -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206579] arm(4): Multiple vulnerabilities in AMR ioctl handler
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206579 Kubilay Kocak changed: What|Removed |Added Status|New |Open -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206573] Improper userland pointer handling in aacraid
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206573 Kubilay Kocak changed: What|Removed |Added Priority|--- |Normal Status|New |Open Keywords||security Flags||mfc-stable9?, mfc-stable10? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206584] Possible integer overflow in update_intel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584
Bug ID: 206584
Summary: Possible integer overflow in update_intel
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ect...@gmail.com
Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`:
/*
* 16 byte alignment required. Rely on the fact that
* malloc(9) always returns the pointer aligned at least on
* the size of the allocation.
*/
ptr = malloc(args->size + 16, M_CPUCTL, M_WAITOK);
if (copyin(args->data, ptr, args->size) != 0) {
If `args->size` is user controlled, it could be prepared to overflow when
adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buffer
overflow from the `copyin` call.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206584] Possible integer overflow in update_intel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584 Kubilay Kocak changed: What|Removed |Added Flags||mfc-stable9?, mfc-stable10? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206584] Possible integer overflow in update_intel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584 Kubilay Kocak changed: What|Removed |Added CC||sect...@freebsd.org Status|New |Open Keywords||needs-qa, security -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206584] Possible integer overflow in update_intel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584
--- Comment #1 from CTurt ---
Sorry, my bad.
It is checked right here:
if (args->size > UCODE_SIZE_MAX) {
I'll spend more time analysing before reporting in the future.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206583] Unable to load ip_mroute kernel module if VIMAGE is enabled in kernel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206583 --- Comment #1 from Ben Woods --- Some information provided by Marko Zec on the freebsd-...@freebsd.org mailing list: https://lists.freebsd.org/pipermail/freebsd-net/2016-January/07.html In this particular case the problem is that ip_mroute demands more space for "virtualized global" variables than what kernel linker has put aside for each vnet. Bumping VNET_MODMIN to 24 should circumvent the issue that Ben is observing. A more vnet-friendly fix would require refactoring ip_mroute's arrays so that they get malloc()ed / free()d from SYSINIT handlers instead of being declared "virtualized global". Marko === --- vnet.c (revision 294659) +++ vnet.c (working copy) @@ -170,7 +170,7 @@ * we want the virtualized global variable space to be page-sized, we may * have more space than that in practice. */ -#defineVNET_MODMIN 8192 +#defineVNET_MODMIN 3 * 8192 #defineVNET_SIZE roundup2(VNET_BYTES, PAGE_SIZE) #defineVNET_MODSIZE(VNET_SIZE - (VNET_BYTES - VNET_MODMIN)) -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 204097] witness_initialize() does not perform bound checking of witness_count
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204097 Kubilay Kocak changed: What|Removed |Added Keywords||needs-patch, needs-qa, ||security Flags||mfc-stable9?, mfc-stable10? CC||sect...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206583] Unable to load ip_mroute kernel module if VIMAGE is enabled in kernel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206583 --- Comment #2 from Ben Woods --- It is worth noting that building a kernel with VIMAGE and MROUTING both enabled seems to work fine. This problem only appears when multicast routing is not built into the kernel with the MROUTING option, but VIMAGE support is - in this case attempting to load the ip_mroute kernel module fails. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206583] Unable to load ip_mroute kernel module if VIMAGE is enabled in kernel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206583 Marko Zec changed: What|Removed |Added Assignee|freebsd-bugs@FreeBSD.org|z...@freebsd.org CC||z...@freebsd.org --- Comment #3 from Marko Zec --- Created attachment 166069 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=166069&action=edit malloc() array space to unbreak kldloading on VNET kernels -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206584] Possible integer overflow in update_intel
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206584 Konstantin Belousov changed: What|Removed |Added CC||k...@freebsd.org Status|Open|Closed Resolution|--- |Works As Intended -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206585] hpt_set_info possible buffer overflow
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
Bug ID: 206585
Summary: hpt_set_info possible buffer overflow
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: ect...@gmail.com
In `hpt_status` -> `hpt_set_info`, `nOutBufferSize` and `nInBufferSize` are
checked at the same time, but not individually:
if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) {
KdPrintE(("User buffer too large\n"));
return -EINVAL;
}
Before performing a kernel allocation:
ke_area = malloc(piop->nInBufferSize+piop->nOutBufferSize, M_DEVBUF, M_NOWAIT);
However, the sizes are later used individually for some copies:
if (piop->nInBufferSize)
copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area,
piop->nInBufferSize);
...
if (piop->nOutBufferSize)
copyout(ke_area + piop->nInBufferSize,
(void*)(ULONG_PTR)piop->lpOutBuffer, piop->nOutBufferSize);
It might be possible for `nInBufferSize`, or `outBufferSize`, or both, to be
large enough for `piop->nInBufferSize+piop->nOutBufferSize` to overflow and be
less than `PAGE_SIZE`.
In this situation the copy calls would result in a heap overflow.
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206585] hpt_set_info possible buffer overflow
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585 Kubilay Kocak changed: What|Removed |Added Keywords||needs-qa, security Status|New |Open CC||sect...@freebsd.org Flags||mfc-stable9?, mfc-stable10? -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206551] Heap overflow in iconv kernel module
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206551 CTurt changed: What|Removed |Added Resolution|--- |Not A Bug Status|Open|Closed -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
Problem reports for freebsd-bugs@FreeBSD.org that need special attention
To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status |Bug Id | Description +---+--- In Progress |183618 | [panic] Dell PowerEdge R620 -- PERC H710 Mini (mf In Progress |196973 | sh(1) broken UTF-8 input New |197876 | [devfs] an error in devfs leads to data loss and New |198797 | [PATCH] Added an option to install BSDstats to bs New |202290 | /usr/bin/vi conversion error on valid character New |202362 | ntp: restore refclocks selection (10.2-RELEASE re New |202740 | vi/ex string substitution problem when there is m New |204115 | freebsd-update: Add support for better user messa New |204545 | Adding quirk entry for some (Acer C720P Chromeboo New |205598 | [patch] sbin/md5.c param -c, convert to lowercase New |205690 | [psm] [patch]: support for Elantech trackpads Open|183817 | [patch] [mac] [panic] kernel compiled with option Open|204121 | numa(4) is broken: "vm_page_alloc: missing page" In Progress |191348 | [mps] LSI2308 with WD3000FYYZ drives disappears a New |202316 | Add IANA vxlan port to /etc/services 15 problems total for which you should take action. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206551] Heap overflow in iconv kernel module
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206551 Jilles Tjoelker changed: What|Removed |Added CC||jil...@freebsd.org --- Comment #4 from Jilles Tjoelker --- The explanation why there is no triggerable problem is that the ICONV_CSMAXDATALEN expression is of type size_t, an unsigned type. Then, comparing an int and a size_t, the int is converted to size_t, converting negative values to very large positive values. This is fragile (changing ICONV_CSMAXDATALEN to a plain number like 266240 will make it vulnerable) and causes compiler warnings with -Wsign-compare, but is not an immediate bug. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206579] arm(4): Multiple vulnerabilities in AMR ioctl handler
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206579 --- Comment #2 from CTurt --- This code could be explained if `addr` can be either a user or kernel pointer depending on `cmd`, but I'd like this to be confirmed. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206585] hpt_set_info possible buffer overflow
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585 --- Comment #1 from CTurt --- These sizes are defined as `DWORD`, a `typedef` for `unsigned int`, rather than a 64bit type like `size_t`, so getting the sum of both sizes to overflow doesn't seem possible. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
[Bug 206585] hpt_set_info possible buffer overflow
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585 CTurt changed: What|Removed |Added Status|Open|Closed Resolution|--- |Not A Bug -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
