From owner-freebsd-bugs@freebsd.org Mon May 16 09:10:58 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C0D39B3DB96 for ; Mon, 16 May 2016 09:10:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B1F9B1698 for ; Mon, 16 May 2016 09:10:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4G9Awf6028706 for ; Mon, 16 May 2016 09:10:58 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 209545] Heap overflows in an driver Date: Mon, 16 May 2016 09:10:58 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cturt@hardenedbsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2016 09:10:58 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209545 Bug ID: 209545 Summary: Heap overflows in an driver Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org The `an` driver doesn't perform bound checks on the lengths used by the `AIROFLSHGCHR` and `AIROFLSHPCHR` commands implemented through `SIOCGPRIVATE_0`, which leads to heap overflows from the `copyin` calls, accessible by a privileged user only. sys/dev/an/if_an.c: static int an_ioctl(struct ifnet *ifp, u_long command, caddr_t data) { ... switch (command) { ... case SIOCGPRIVATE_0: /* used by Cisco client utility */ if ((error =3D priv_check(td, PRIV_DRIVER))) goto out; error =3D copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl)); if (error) goto out; mode =3D l_ioctl.command; AN_LOCK(sc); if (mode >=3D AIROGCAP && mode <=3D AIROGSTATSD32) { error =3D readrids(ifp, &l_ioctl); } else if (mode >=3D AIROPCAP && mode <=3D AIROPLEAPUSR) { error =3D writerids(ifp, &l_ioctl); } else if (mode >=3D AIROFLSHRST && mode <=3D AIRORESTART) { error =3D flashcard(ifp, &l_ioctl); } else { error =3D-1; } AN_UNLOCK(sc); if (!error) { /* copy out the updated command info */ error =3D copyout(&l_ioctl, ifr->ifr_data, sizeof(l_ioctl)); } break; ... out: return(error !=3D 0); }=20=20=20=20=20=20=20 static int flashcard(struct ifnet *ifp, struct aironet_ioctl *l_ioctl) { int z =3D 0, status; struct an_softc *sc; sc =3D ifp->if_softc; if (sc->mpi350) { if_printf(ifp, "flashing not supported on MPI 350 yet\n"); return(-1); } status =3D l_ioctl->command; switch (l_ioctl->command) { ... case AIROFLSHGCHR: /* Get char from aux */ AN_UNLOCK(sc); status =3D copyin(l_ioctl->data, &sc->areq, l_ioctl->len); AN_LOCK(sc); if (status) return status; z =3D *(int *)&sc->areq; if ((status =3D flashgchar(ifp, z, 8000)) =3D=3D 1) return 0; else return -1; case AIROFLSHPCHR: /* Send char to card. */ AN_UNLOCK(sc); status =3D copyin(l_ioctl->data, &sc->areq, l_ioctl->len); AN_LOCK(sc); if (status) return status; z =3D *(int *)&sc->areq; if ((status =3D flashpchar(ifp, z, 8000)) =3D=3D -1) return -EIO; else return 0; break; ... return -EINVAL; } I propose that the following bound checks are added to this command: case AIROFLSHGCHR: /* Get char from aux */ + if (l_ioctl->len > sizeof(sc->areq)) { + return -EINVAL; + } ... case AIROFLSHPCHR: /* Send char to card. */ + if (l_ioctl->len > sizeof(sc->areq)) { + return -EINVAL; + } --=20 You are receiving this mail because: You are the assignee for the bug.=