Date: Thu, 13 Nov 2025 04:19:06 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 290992] Denial of Service in `quot` via Improper Input Validation in `donames()` (`-n` mode) Message-ID: <bug-290992-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290992 Bug ID: 290992 Summary: Denial of Service in `quot` via Improper Input Validation in `donames()` (`-n` mode) Product: Base System Version: 14.3-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: igor@bsdtrust.com Title: Denial of Service in `quot` via Improper Input Validation in `donames()` (`-n` mode) Affected Software: - Utility: quot (disk usage reporting tool in BSD systems) - File: usr.sbin/quot/quot.c - Function: donames() - Likely affected: FreeBSD, NetBSD, OpenBSD, and other BSD derivatives shipping quot Vulnerability Type: - CWE-20: Improper Input Validation - CWE-704: Incorrect Type Conversion or Cast Summary: The quot utility, when executed with the -n flag to process a list of inodes from standard input, fails to properly handle negative values. The function donames() reads input using `scanf("%ju", &inode)`, which implicitly converts negative values like `-1` into large unsigned values (e.g., 18446744073709551615). If this value exceeds the max inode limit (`maxino`), the code triggers a return statement, aborting all further processing. As a result, valid entries following the malformed input are never processed. Impact: - Denial of Service (DoS) by halting inode analysis early - Suppression of valid user accounting - Potential to skew disk usage reporting CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H Base Score: 6.1 (Medium) Steps to Reproduce (PoC): 1. Create UFS image: dd if=/dev/zero of=ufs.img bs=1M count=50 mdconfig -a -t vnode -f ufs.img -u 0 newfs -U /dev/md0 mount /dev/md0 /mnt touch /mnt/file1 /mnt/file2 umount /mnt 2. Trigger the bug: printf "1\n2\n-1\n3\n4\n" | quot -n /dev/md0 Expected Output: /dev/md0: root quot: illegal inode 18446744073709551615 Result: Entries "3" and "4" are not processed due to premature return. Root Cause: scanf("%ju", &inode); // Negative numbers parsed as large unsigned ints if (inode > maxino) { warnx("illegal inode %ju", inode); return; // Halts processing, breaking expected flow } Credits: Author: Igor Gabriel Sousa e Souza Email: igor@bsdtrust.com LinkedIn: https://www.linkedin.com/in/igo0r -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-290992-227>