Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 07 Jan 2018 17:25:02 +0100
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "Konstantin Belousov" <kostikbel@gmail.com>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r327675 - head/sys/netpfil/pf
Message-ID:  <B81A0A09-B4E1-4EAC-8E17-5F41BCE11D9C@FreeBSD.org>
In-Reply-To: <20180107144423.GD1684@kib.kiev.ua>
References:  <201801071335.w07DZFWh069854@repo.freebsd.org> <20180107144423.GD1684@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 7 Jan 2018, at 15:44, Konstantin Belousov wrote:
> On Sun, Jan 07, 2018 at 01:35:15PM +0000, Kristof Provost wrote:
>> Author: kp
>> Date: Sun Jan  7 13:35:15 2018
>> New Revision: 327675
>> URL: https://svnweb.freebsd.org/changeset/base/327675
>>
>> Log:
>>   pf: Avoid integer overflow issues by using mallocarray() iso. 
>> malloc()
>>
>>   pfioctl() handles several ioctl that takes variable length input, 
>> these
>>   include:
>>   - DIOCRADDTABLES
>>   - DIOCRDELTABLES
>>   - DIOCRGETTABLES
>>   - DIOCRGETTSTATS
>>   - DIOCRCLRTSTATS
>>   - DIOCRSETTFLAGS
>>
>>   All of them take a pfioc_table struct as input from userland. One 
>> of
>>   its elements (pfrio_size) is used in a buffer length calculation.
>>   The calculation contains an integer overflow which if triggered can 
>> lead
>>   to out of bound reads and writes later on.
> So the size of the allocation is controlled directly from the 
> userspace ?
> This is an easy DoS, and by itself is perhaps bigger issue than the 
> overflow.

Yes, although only as root.

I’m not sure what the best way of handling that would be. It’s not 
easy to determine limits for these sizes. Any arbitrary value might 
break someone’s use case.
OpenBSD tend to copy in individual entries one at a time. This avoids 
having to allocate memory for all of them in one go, but I don’t like 
mixing user pointers and kernel pointers. It’s far too easy to lose 
track of what’s been copied in and what’s still in user space.

Regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B81A0A09-B4E1-4EAC-8E17-5F41BCE11D9C>