Site Navigation

Date:      Fri, 11 Mar 2016 19:20:05 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 207911] kiconv reference count integer overflow
Message-ID:  <bug-207911-8@https.bugs.freebsd.org/bugzilla/>

---

index | next in thread | raw e-mail

---

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207911

            Bug ID: 207911
           Summary: kiconv reference count integer overflow
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: cturt@hardenedbsd.org

The `kiconv` module doesn't perform checks on the reference count of its
converter class before incrementing and decrementing it, sys/libkern/iconv.c:

static int
iconv_register_converter(struct iconv_converter_class *dcp)
{
        kobj_class_compile((struct kobj_class*)dcp);
        dcp->refs++;
        TAILQ_INSERT_TAIL(&iconv_converters, dcp, cc_link);
        return 0;
}

static int
iconv_unregister_converter(struct iconv_converter_class *dcp)
{
        dcp->refs--;
        if (dcp->refs > 1) {
                ICDEBUG("converter has %d references left\n", dcp->refs);
                return EBUSY;
        }
        TAILQ_REMOVE(&iconv_converters, dcp, cc_link);
        kobj_class_free((struct kobj_class*)dcp);
        return 0;
}

Since `refs` field is declared as `u_int`, if `iconv_register_converter` is
called enough times it will overflow from `UINT_MAX` to `0` and then be
incremented to `1`. Then when `iconv_unregister_converter` is called, the check
against `dcp->refs` will be bypassed and its converter class will then be freed
even though it still has references; leading to use after free behaviour.

This is mostly theoretical since it is unlikely to be possible to register this
many converter classes without encountering other issues, such as running out
of memory. In addition, the `iconv_register_converter` is only called on the
`MOD_LOAD` event, which is root only, so is unlikely to present a security
risk.

-- 
You are receiving this mail because:
You are the assignee for the bug.

help

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207911-8>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact