Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Mar 2016 19:20:05 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 207911] kiconv reference count integer overflow
Message-ID:  <bug-207911-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207911

            Bug ID: 207911
           Summary: kiconv reference count integer overflow
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: cturt@hardenedbsd.org

The `kiconv` module doesn't perform checks on the reference count of its
converter class before incrementing and decrementing it, sys/libkern/iconv.=
c:

static int
iconv_register_converter(struct iconv_converter_class *dcp)
{
        kobj_class_compile((struct kobj_class*)dcp);
        dcp->refs++;
        TAILQ_INSERT_TAIL(&iconv_converters, dcp, cc_link);
        return 0;
}

static int
iconv_unregister_converter(struct iconv_converter_class *dcp)
{
        dcp->refs--;
        if (dcp->refs > 1) {
                ICDEBUG("converter has %d references left\n", dcp->refs);
                return EBUSY;
        }
        TAILQ_REMOVE(&iconv_converters, dcp, cc_link);
        kobj_class_free((struct kobj_class*)dcp);
        return 0;
}

Since `refs` field is declared as `u_int`, if `iconv_register_converter` is
called enough times it will overflow from `UINT_MAX` to `0` and then be
incremented to `1`. Then when `iconv_unregister_converter` is called, the c=
heck
against `dcp->refs` will be bypassed and its converter class will then be f=
reed
even though it still has references; leading to use after free behaviour.

This is mostly theoretical since it is unlikely to be possible to register =
this
many converter classes without encountering other issues, such as running o=
ut
of memory. In addition, the `iconv_register_converter` is only called on the
`MOD_LOAD` event, which is root only, so is unlikely to present a security
risk.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207911-8>