Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Apr 2026 14:50:10 +0000
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc:        Mariusz Zaborski <oshogbo@FreeBSD.org>
Subject:   git: 05b91c2a7106 - stable/13 - libnv: fix heap overflow in nvlist_recv()
Message-ID:  <69f21aa2.3ccf6.3de850d8@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=05b91c2a71061dd788d067283aa78275806a9e1e

commit 05b91c2a71061dd788d067283aa78275806a9e1e
Author:     Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2026-04-28 14:36:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 20:31:04 +0000

    libnv: fix heap overflow in nvlist_recv()
    
    nvlist_check_header() validated nvlh_size for overflow before
    performing conversion. An mallicous user can set
    NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
    the orginall value passes the check, but after the conversion the
    sizeof(nvlist_header) + size can overflow.
    This can lead to a heap buffer overflow.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:17.libnv
    Security:       CVE-2026-35547
    Fixes:          36fa90dbde0060aacb5677d0b113ee168e839071
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D56342
---
 sys/contrib/libnv/nvlist.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/sys/contrib/libnv/nvlist.c b/sys/contrib/libnv/nvlist.c
index 6934da0df00a..721332247b38 100644
--- a/sys/contrib/libnv/nvlist.c
+++ b/sys/contrib/libnv/nvlist.c
@@ -1029,10 +1029,6 @@ static bool
 nvlist_check_header(struct nvlist_header *nvlhdrp)
 {
 
-	if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
-		ERRNO_SET(EINVAL);
-		return (false);
-	}
 	if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
 		ERRNO_SET(EINVAL);
 		return (false);
@@ -1052,6 +1048,11 @@ nvlist_check_header(struct nvlist_header *nvlhdrp)
 		nvlhdrp->nvlh_descriptors = be64toh(nvlhdrp->nvlh_descriptors);
 	}
 #endif
+	if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
+		ERRNO_SET(EINVAL);
+		return (false);
+	}
+
 	return (true);
 }
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f21aa2.3ccf6.3de850d8>