Date: Sun, 24 Jan 2016 13:44:32 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206573] Improper userland pointer handling in aacraid Message-ID: <bug-206573-8@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206573 Bug ID: 206573 Summary: Improper userland pointer handling in aacraid Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: misc Assignee: freebsd-bugs@FreeBSD.org Reporter: ecturt@gmail.com The `aac_ioctl_send_raw_srb` function can be reached by supplying the `FSACTL_LNX_SEND_RAW_SRB` command to `aac_ioctl`. This code path dereferences a user supplied pointer directly: static int aac_ioctl_send_raw_srb(struct aac_softc *sc, caddr_t arg) { struct aac_srb *user_srb = (struct aac_srb *)arg; ... if ((error = copyin((void *)user_srb, srbcmd, fibsize) != 0)) goto out; ... struct aac_sg_entry *sgp = srbcmd->sg_map.SgEntry; ... srb_sg_bytecount = sgp->SgByteCount; ... } `srbcmd` has user controlled contents (after `copyin` from `user_srb`). `sgp` is set to a user controlled address (`srbcmd->sg_map.SgEntry`). `sgp` is then dereferenced numerous times (`sgp->SgByteCount`). One impact of this improper handling is that `sgp` could be `NULL`, which would result in a `NULL` dereference, and panic. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206573-8>