Date: Wed, 29 Apr 2026 14:47:52 +0000 From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Cc: Mariusz Zaborski <oshogbo@FreeBSD.org> Subject: git: 414e25d7d512 - stable/15 - libnv: fix heap overflow in nvlist_recv() Message-ID: <69f21a18.3b9ea.35ce74a0@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=414e25d7d5128e5d0275f18a6633a11d36fafc8c commit 414e25d7d5128e5d0275f18a6633a11d36fafc8c Author: Mariusz Zaborski <oshogbo@FreeBSD.org> AuthorDate: 2026-04-28 14:36:09 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2026-04-29 14:40:57 +0000 libnv: fix heap overflow in nvlist_recv() nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342 --- lib/libnv/tests/nvlist_send_recv_test.c | 57 +++++++++++++++++++++++++++++++++ sys/contrib/libnv/nvlist.c | 9 +++--- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/lib/libnv/tests/nvlist_send_recv_test.c b/lib/libnv/tests/nvlist_send_recv_test.c index d655a26a7362..306c91560400 100644 --- a/lib/libnv/tests/nvlist_send_recv_test.c +++ b/lib/libnv/tests/nvlist_send_recv_test.c @@ -1,5 +1,8 @@ /*- + * SPDX-License-Identifier: BSD-2-Clause + * * Copyright (c) 2013 The FreeBSD Foundation + * Copyright (c) 2024-2026 Mariusz Zaborski <oshogbo@FreeBSD.org> * * This software was developed by Pawel Jakub Dawidek under sponsorship from * the FreeBSD Foundation. @@ -661,6 +664,58 @@ ATF_TC_BODY(nvlist_send_recv__overflow_header_size, tc) } } +ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_big_endian_size); +ATF_TC_BODY(nvlist_send_recv__overflow_big_endian_size, tc) +{ + static const unsigned char payload[] = { + 0x6c, /* magic */ + 0x00, /* version */ + 0x80, /* flags: NV_FLAG_BIG_ENDIAN */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf5, + }; + nvlist_t *nvl; + int sv[2]; + + ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0); + ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)), + (ssize_t)sizeof(payload)); + ATF_REQUIRE_EQ(close(sv[1]), 0); + + errno = 0; + nvl = nvlist_recv(sv[0], 0); + ATF_REQUIRE(nvl == NULL); + ATF_REQUIRE_EQ(errno, EINVAL); + + ATF_REQUIRE_EQ(close(sv[0]), 0); +} + +ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_little_endian_size); +ATF_TC_BODY(nvlist_send_recv__overflow_little_endian_size, tc) +{ + static const unsigned char payload[] = { + 0x6c, /* magic */ + 0x00, /* version */ + 0x00, /* flags */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + }; + nvlist_t *nvl; + int sv[2]; + + ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0); + ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)), + (ssize_t)sizeof(payload)); + ATF_REQUIRE_EQ(close(sv[1]), 0); + + errno = 0; + nvl = nvlist_recv(sv[0], 0); + ATF_REQUIRE(nvl == NULL); + ATF_REQUIRE_EQ(errno, EINVAL); + + ATF_REQUIRE_EQ(close(sv[0]), 0); +} + ATF_TC_WITHOUT_HEAD(nvlist_send_recv__invalid_fd_size); ATF_TC_BODY(nvlist_send_recv__invalid_fd_size, tc) { @@ -796,6 +851,8 @@ ATF_TP_ADD_TCS(tp) ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__stream); ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_header_size); + ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_big_endian_size); + ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_little_endian_size); ATF_TP_ADD_TC(tp, nvlist_send_recv__invalid_fd_size); ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_fd_size); diff --git a/sys/contrib/libnv/nvlist.c b/sys/contrib/libnv/nvlist.c index 73226ee51a78..11d9c9b49c94 100644 --- a/sys/contrib/libnv/nvlist.c +++ b/sys/contrib/libnv/nvlist.c @@ -1027,10 +1027,6 @@ static bool nvlist_check_header(struct nvlist_header *nvlhdrp) { - if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) { - ERRNO_SET(EINVAL); - return (false); - } if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) { ERRNO_SET(EINVAL); return (false); @@ -1050,6 +1046,11 @@ nvlist_check_header(struct nvlist_header *nvlhdrp) nvlhdrp->nvlh_descriptors = be64toh(nvlhdrp->nvlh_descriptors); } #endif + if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) { + ERRNO_SET(EINVAL); + return (false); + } + return (true); }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f21a18.3b9ea.35ce74a0>