From nobody Mon Jun  5 14:46:04 2023
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QZbyN6GMrz4bL2J
	for <bugs@mlmmj.nyi.freebsd.org>; Mon,  5 Jun 2023 14:46:04 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QZbyN4GRrz44Lx
	for <bugs@FreeBSD.org>; Mon,  5 Jun 2023 14:46:04 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1685976364;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=K0IM1ndXouQbH8kyBk2gHnQuxVD+BDgHWKewI4Hd9qQ=;
	b=b1ISc6jc47ssX4tO8o25Qng3junwclIE1dV5MDbVFHMP/Q+MjLbBUItxVLVhckG5XYzX3a
	sdF0qll44BNoYpHZArxIJimMZhEyMtsuSPt8tBReX/5/7qFWcK2up3lHhENOAX4S/XROLu
	fYb9iE9r7MBh6WqVJafFx3F38Mt77jyj/PvewoVinKzC2RksVDe3eX3nvqE9XpUlOOUV/f
	3KO/bmEXtKxR5DRsBws5WGAI1d2DX/ONPSK+i6nOGeLdjQ0W4oHCUHhulCOt+KRqHg143u
	cs4Kdd2JcR92aeAGDIfroc4woPobN83j53obY2HEwGTGcL5Nx+8jdkrHKPw/pQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685976364; a=rsa-sha256; cv=none;
	b=s3VWPaTyF+eVCKtb2kcKhK6JmoNlHz7bXZHHyqdI/lIs+732+1Gh6+QLajRSUN6qeSePwN
	KJFZOvJ4o34KnfmNOYseszWk7wJ3s9G9sBoSXa9s8qLK39WYDisibfk+pTNI50ZKxD2FXt
	YiGunsgpIMzHeVucJ23+xsgLUBTeJbc/4CrfsahacfeSM9D9pa4iGd/k3zULdG/GoldpIP
	iGSYcZwQTgTfElEuEZkrirk0JprwKh9crigPPV8tY7K+CWrnmlV31VBidAJQK8wGangHFl
	i09U423q10OWLFQycn5fDMyOCmsvkh3if4Tn6KnnAVZvZyALUhTcAh/T6DbHkA==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QZbyN3DH3zrqK
	for <bugs@FreeBSD.org>; Mon,  5 Jun 2023 14:46:04 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 355Ek4EN082351
	for <bugs@FreeBSD.org>; Mon, 5 Jun 2023 14:46:04 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 355Ek4Up082350
	for bugs@FreeBSD.org; Mon, 5 Jun 2023 14:46:04 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 271843] ppp can crash due to wrapping subtract in
 FsmRecvEchoReq()
Date: Mon, 05 Jun 2023 14:46:04 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: bin
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.mimetype attachments.created
Message-ID: <bug-271843-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271843

            Bug ID: 271843
           Summary: ppp can crash due to wrapping subtract in
                    FsmRecvEchoReq()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #242617 text/plain
         mime type:

Created attachment 242617
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D242617&action=
=3Dedit
tickle wrapping subtract in ppp's FsmRecvEchoReq()

The follow HDLC frame sent to ppp causes it to dereference a null bp
pointer:

7e
c0 21       -- PROTO_LCP
09 ff 00 03 -- code=3D9 EchoReply, id=3D255, length=3D3
22 96       -- crc
7e

The null bp arises in fsm_Input() in src/usr.sbin/ppp/fsm.c:

  bp =3D mbuf_Read(bp, &lh, sizeof lh);

mbuf_Read() returns null if it consumes all of the data, which is the
case for the above frame, since sizeof(lh) is four and only the four
bytes 09 ff 00 03 are available.

For the above frame, the null dereference happens in FsmRecvEchoReq().
That function has a length check that could have caught this problem:

  if (lcp && ntohs(lhp->length) - sizeof *lhp >=3D 4) {

But the ntohs() returns unsigned 3, and the sizeof yields unsigned 4,
so the subtract wraps to unsigned 0xffffffffffffffff, so the code in
the if statement is executed and tries to dereference bp.

Here's a backtrace from the attached demo:

#0  0x000000000003e43c in FsmRecvEchoReq (fp=3D0x407f71e8, lhp=3D0x3fffffdd=
00,=20
    bp=3D0x0) at fsm.c:962
#1  0x000000000003c974 in fsm_Input (fp=3D0x407f71e8, bp=3D0x0) at fsm.c:10=
96
#2  0x000000000004c4be in lcp_Input (bundle=3D0x97338 <bundle_Create.bundle=
>,=20
    l=3D0x407f7000, bp=3D0x407fd300) at lcp.c:1307
#3  0x000000000005002c in Despatch (bundle=3D0x97338 <bundle_Create.bundle>=
,=20
    l=3D0x407f7000, bp=3D0x407fd300, proto=3D49185) at link.c:381
#4  0x000000000004fefe in link_PullPacket (l=3D0x407f7000,=20
    buf=3D0x407fa140
"~\377\377~\377\365\275\276\275\177\371\365]\177\346\370\334\354\370\325\34=
6\205\351\326\345\370\370\374\374E|\365\234\314\314\326\346\365\305\346\377=
\377~\300!\t\377",
len=3D64, b=3D0x97338 <bundle_Create.bundle>)
    at link.c:323
#5  0x0000000000062b30 in physical_DescriptorRead (d=3D0x407f7f78,=20
    bundle=3D0x97338 <bundle_Create.bundle>, fdset=3D0x410069c0) at physica=
l.c:569
#6  0x000000000003221e in datalink_Read (d=3D0x407f2000,=20
    bundle=3D0x97338 <bundle_Create.bundle>, fdset=3D0x410069c0) at datalin=
k.c:474
#7  0x000000000001a6e2 in bundle_DescriptorRead (
    d=3D0x97338 <bundle_Create.bundle>, bundle=3D0x97338 <bundle_Create.bun=
dle>,=20
    fdset=3D0x410069c0) at bundle.c:546
#8  0x00000000000548a0 in DoLoop (bundle=3D0x97338 <bundle_Create.bundle>)
    at main.c:661
#9  0x0000000000053d92 in main (argc=3D3, argv=3D0x3fffffeb70) at main.c:535

--=20
You are receiving this mail because:
You are the assignee for the bug.=