Date: Wed, 28 Oct 2015 18:15:04 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 204097] witness_initialize() does not perform bound checking of witness_count Message-ID: <bug-204097-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204097 Bug ID: 204097 Summary: witness_initialize() does not perform bound checking of witness_count Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ertl.chris@gmail.com The witness_count sysctl node is of type CTLFLAG_RDTUN, which means it's a read-only variable, but can be set during boot by creating a "debug.witness.count" entry in /boot/loader.conf. The witness_initialize() function of sys/kern/subr_witness.c does not perform bound checks on witness_count which could lead to integer overflows, and memory corruption. The following line from witness_initialize() can cause an overflow, if witness_count is 2147483647 for example, since a signed comparison is used: for (i = 0; i < witness_count + 1; i++) { This means that the w_rmatrix[i] buffers are never allocated, which would lead to kernel reads and writes from an uninitialized pointer. A potential fix would be to add the following bound check at the beginning of the function: if (witness_count < 0 || witness_count >= 2147483647) { printf("Invalid witness_count value of %d, setting to 2147483646\n", witness_count); witness_count = 2147483646; } -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-204097-8>