From owner-freebsd-amd64@freebsd.org Fri May 20 13:44:56 2016 Return-Path: Delivered-To: freebsd-amd64@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 097F2B43AFC for ; Fri, 20 May 2016 13:44:56 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D49A31515 for ; Fri, 20 May 2016 13:44:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4KDitog001801 for ; Fri, 20 May 2016 13:44:55 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-amd64@FreeBSD.org Subject: [Bug 209661] amd64_set_ioperm overflow Date: Fri, 20 May 2016 13:44:55 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cturt@hardenedbsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 20 May 2016 14:53:27 +0000 X-BeenThere: freebsd-amd64@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting FreeBSD to the AMD64 platform List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 13:44:56 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209661 Bug ID: 209661 Summary: amd64_set_ioperm overflow Product: Base System Version: 11.0-CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org CC: freebsd-amd64@FreeBSD.org CC: freebsd-amd64@FreeBSD.org The privileged `sysarch` handler, `amd64_set_ioperm`, performs an incorrect bound check on user arguments supplied to it. The `uap->start + uap->length > ...` check can be bypassed if the two user controlled values overflow when added together. For example, `uap->start =3D 0xffffffff` and `uap->len =3D 1` will overflow= to 0 when added together, which will bypass the check. Later on, there is a signed array index with a loop starting from `uap->sta= rt`. If `uap->start` is negative, this would index `iomap` negatively. sys/amd64/amd64/sys_machdep: int amd64_set_ioperm(td, uap) struct thread *td; struct i386_ioperm_args *uap; { int i, error; char *iomap; struct amd64tss *tssp; struct system_segment_descriptor *tss_sd; struct pcb *pcb; if ((error =3D priv_check(td, PRIV_IO)) !=3D 0) return (error); if ((error =3D securelevel_gt(td->td_ucred, 0)) !=3D 0) return (error); if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) return (EINVAL); ... for (i =3D uap->start; i < uap->start + uap->length; i++) { if (uap->enable) iomap[i >> 3] &=3D ~(1 << (i & 7)); else iomap[i >> 3] |=3D (1 << (i & 7)); } return (error); } --=20 You are receiving this mail because: You are on the CC list for the bug.=