Date: Tue, 19 Feb 2019 21:22:22 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r344305 - head/sys/geom Message-ID: <201902192122.x1JLMMPM012400@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Tue Feb 19 21:22:22 2019 New Revision: 344305 URL: https://svnweb.freebsd.org/changeset/base/344305 Log: Impose a limit on the number of GEOM_CTL arguments. Otherwise a privileged user can trigger a memory allocation of unbounded size, or an integer overflow in the subsequent geom_alloc_copyin() call, leading to out-of-bounds accesses. Hard-code a large limit to circumvent this problem. admbug: 854 Reported by: Anonymous of the Shellphish Grill Team Reviewed by: ae MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D19251 Modified: head/sys/geom/geom_ctl.c Modified: head/sys/geom/geom_ctl.c ============================================================================== --- head/sys/geom/geom_ctl.c Tue Feb 19 21:20:50 2019 (r344304) +++ head/sys/geom/geom_ctl.c Tue Feb 19 21:22:22 2019 (r344305) @@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req) char *p; u_int i; + if (req->narg > 2048) { + gctl_error(req, "too many arguments"); + req->arg = NULL; + return; + } + ap = geom_alloc_copyin(req, req->arg, req->narg * sizeof(*ap)); if (ap == NULL) { gctl_error(req, "bad control request");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201902192122.x1JLMMPM012400>