Date: Sat, 30 Jan 2016 09:33:55 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206754] Out of bounds negative array index in iicrdwr Message-ID: <bug-206754-8@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206754 Bug ID: 206754 Summary: Out of bounds negative array index in iicrdwr Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org `iicrdwr` in `/sys/dev/iicbus/iic.c` incorrectly handles iteration over buffer. Firstly, no bound checks are supplied on the user controlled `d->nmsgs`. This field is declared as type `uint32_t`, in `struct iic_rdwr_data` (`sys/dev/iicbus/iic.h`): struct iic_rdwr_data { struct iic_msg *msgs; uint32_t nmsgs; }; However, the `i` variable in this function is declared as a `signed int`: int error, i; When `i` iterates over buffers, since it is `signed`, it can wrap around to a negative value, for example here: for (i = 0; i < d->nmsgs; i++) { m = &(buf[i]); usrbufs[i] = m->buf; And here: for (i = 0; i < d->nmsgs; i++) { m = &(buf[i]); if ((error == 0) && (m->flags & IIC_M_RD)) error = copyout(m->buf, usrbufs[i], m->len); free(m->buf, M_IIC); } `i` will be converted to `unsigned` type for the conversion, however, will still be `signed` when indexing `buf`. This would result in a read out of bounds of the `buf` allocation. This situation seems unlikely to be triggerable, because the code would wait for `buf` allocation to succeed (`M_WAITOK`): buf = malloc(sizeof(*d->msgs) * d->nmsgs, M_IIC, M_WAITOK); Which would be unlikely to succeed if `d->nmsgs` is something like `0x80000001`. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206754-8>