From owner-freebsd-bugs@freebsd.org Sat Jan 30 09:33:55 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A0F4CA73571 for ; Sat, 30 Jan 2016 09:33:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7768434D for ; Sat, 30 Jan 2016 09:33:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0U9XtlA025125 for ; Sat, 30 Jan 2016 09:33:55 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206754] Out of bounds negative array index in iicrdwr Date: Sat, 30 Jan 2016 09:33:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: cturt@hardenedbsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jan 2016 09:33:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206754 Bug ID: 206754 Summary: Out of bounds negative array index in iicrdwr Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org `iicrdwr` in `/sys/dev/iicbus/iic.c` incorrectly handles iteration over buf= fer. Firstly, no bound checks are supplied on the user controlled `d->nmsgs`. This field is declared as type `uint32_t`, in `struct iic_rdwr_data` (`sys/dev/iicbus/iic.h`): struct iic_rdwr_data { struct iic_msg *msgs; uint32_t nmsgs; }; However, the `i` variable in this function is declared as a `signed int`: int error, i; When `i` iterates over buffers, since it is `signed`, it can wrap around to= a negative value, for example here: for (i =3D 0; i < d->nmsgs; i++) { m =3D &(buf[i]); usrbufs[i] =3D m->buf; And here: for (i =3D 0; i < d->nmsgs; i++) { m =3D &(buf[i]); if ((error =3D=3D 0) && (m->flags & IIC_M_RD)) error =3D copyout(m->buf, usrbufs[i], m->len); free(m->buf, M_IIC); } `i` will be converted to `unsigned` type for the conversion, however, will still be `signed` when indexing `buf`. This would result in a read out of bounds of the `buf` allocation. This situation seems unlikely to be triggerable, because the code would wait for `buf` allocation to succeed (`M_WAITOK`): buf =3D malloc(sizeof(*d->msgs) * d->nmsgs, M_IIC, M_WAITOK); Which would be unlikely to succeed if `d->nmsgs` is something like `0x80000001`. --=20 You are receiving this mail because: You are the assignee for the bug.=