Date: Thu, 12 May 2022 09:23:39 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 263934] buffer overflow in ffs_sbget() if superblock fields are broken Message-ID: <bug-263934-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263934 Bug ID: 263934 Summary: buffer overflow in ffs_sbget() if superblock fields are broken Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 233866 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D233866&action= =3Dedit a disk image that causes a buffer overflow during tasting, due to unexpected FFS superblock content ffs_sbget() allocates fs->fs_cssize bytes to hold fs_csp: size =3D fs->fs_cssize; ... if ((space =3D UFS_MALLOC(size, filltype, M_WAITOK)) =3D=3D NULL) { but it can copy a whole fragment into that space: for (i =3D 0; i < blks; i +=3D fs->fs_frag) { ...; size =3D (blks - i) * fs->fs_fsize; ...; error =3D (*readfunc)(devfd, dbtob(fsbtodb(fs, fs->fs_csaddr + i)), (void **)&buf, size); ...; memcpy(space, buf, size); If fs_cssize is smaller than fs_fsize, the memcpy() can write attacker-supplied bytes beyond the end of space. I've attached a disk image containing garbage that looks enough like FFS for taste to proceed, with fs_cssize =3D 16 and fs_fsize =3D 5120. # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #224 main-n250919-29f81bc20825-dirty: Thu May 12 04:42:56 EDT 2022=20=20=20=20 rtm@zika:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # mdconfig -f taste6b.img Memory modified after free 0xffffffd000852b40(24) val=3Dffffffff @ 0xffffffd000852b40=20=20=20 panic: Fatal page fault at 0xffffffc00051b2b0: 0xffffffff00000070 cpuid =3D 0 time =3D 1651916658 KDB: stack backtrace: db_trace_self() at db_trace_self db_trace_self_wrapper() at db_trace_self_wrapper+0x38 kdb_backtrace() at kdb_backtrace+0x2c vpanic() at vpanic+0x16e panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1aa do_trap_supervisor() at do_trap_supervisor+0x76 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval =3D 0xffffffff00000070 mtrash_ctor() at mtrash_ctor+0x86 item_ctor() at item_ctor+0xa0 cache_alloc_item() at cache_alloc_item+0x5a uma_zalloc_arg() at uma_zalloc_arg+0x58 uma_zalloc() at uma_zalloc+0x10 malloc() at malloc+0x80 ffs_sbget() at ffs_sbget+0x1e8 g_label_ufs_taste_common() at g_label_ufs_taste_common+0x6c g_label_ufs_volume_taste() at g_label_ufs_volume_taste+0xe g_label_taste() at g_label_taste+0x198 g_new_provider_event() at g_new_provider_event+0xb8 one_event() at one_event+0x106 g_run_events() at g_run_events+0x8a g_event_procbody() at g_event_procbody+0x56 fork_exit() at fork_exit+0x80 fork_trampoline() at fork_trampoline+0xa KDB: enter: panic [ thread pid 13 tid 100017 ] Stopped at breakpoint+0xa: c.ldsp s0,0(sp) db> --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263934-227>