https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
Oleksandr Tymoshenko changed:
What|Removed |Added
CC||go...@freebsd.org
R
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #10 from commit-h...@freebsd.org ---
A commit references this bug:
Author: sbruno
Date: Mon Apr 18 23:26:11 UTC 2016
New revision: 298231
URL: https://svnweb.freebsd.org/changeset/base/298231
Log:
hptmv(4) Fix potential buffe
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #9 from CTurt ---
Yes. This file has some indentation inconsistencies: most parts use tabs, but
there are occasional lines which use spaces for indentation; my editor
accidentally replaced the spaces with tabs for one of these l
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #8 from Sean Bruno ---
(In reply to CTurt from comment #7)
Is the last bit of the diff just whitespace?
--
You are receiving this mail because:
You are the assignee for the bug.
___
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
Mark Linimon changed:
What|Removed |Added
Keywords||patch
--
You are receiving this ma
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #7 from CTurt ---
Created attachment 169074
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=169074&action=edit
Fix heap overflow and check result of copyin
--
You are receiving this mail because:
You are the assignee
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #6 from Shawn Webb ---
Any movement on this?
--
You are receiving this mail because:
You are the assignee for the bug.
___
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #5 from CTurt ---
I'd also like to add that the result of `copyin` isn't checked here, which can
lead to use of initialised heap buffer (it is not allocated with `M_ZERO`).
--
You are receiving this mail because:
You are the a
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #4 from CTurt ---
Supplying the `HPT_IOCTL_GET_EVENT` command will ensure that
`Kernel_DeviceIoControl` function instantly returns, resulting in
`hpt_set_info` returning straight after doing the `malloc`, `copyin`, and
`free`:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #3 from CTurt ---
PoC code from the above explanation, which results in panic:
https://gist.github.com/CTurt/696a34664bc8d4f4e905
--
You are receiving this mail because:
You are the assignee for the bug.
_
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
CTurt changed:
What|Removed |Added
Resolution|Not A Bug |---
Status|Closed
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
CTurt changed:
What|Removed |Added
Status|Open|Closed
Resolution|---
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
--- Comment #1 from CTurt ---
These sizes are defined as `DWORD`, a `typedef` for `unsigned int`, rather than
a 64bit type like `size_t`, so getting the sum of both sizes to overflow
doesn't seem possible.
--
You are receiving this mail b
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
Kubilay Kocak changed:
What|Removed |Added
Keywords||needs-qa, security
Sta
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206585
Bug ID: 206585
Summary: hpt_set_info possible buffer overflow
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity:
15 matches
Mail list logo
