Date: Sun, 24 Jan 2016 17:11:20 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206584] Possible integer overflow in update_intel Message-ID: <bug-206584-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206584 Bug ID: 206584 Summary: Possible integer overflow in update_intel Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ecturt@gmail.com Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`: /* * 16 byte alignment required. Rely on the fact that * malloc(9) always returns the pointer aligned at least on * the size of the allocation. */ ptr =3D malloc(args->size + 16, M_CPUCTL, M_WAITOK); if (copyin(args->data, ptr, args->size) !=3D 0) { If `args->size` is user controlled, it could be prepared to overflow when adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buf= fer overflow from the `copyin` call. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206584-8>