From owner-freebsd-bugs@freebsd.org Sun Jan 24 15:51:03 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3DAA09D9206 for ; Sun, 24 Jan 2016 15:51:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1453A1166 for ; Sun, 24 Jan 2016 15:51:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u0OFp2QO093850 for ; Sun, 24 Jan 2016 15:51:02 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206579] Multiple vulnerabilities in AMR ioctl handler Date: Sun, 24 Jan 2016 15:51:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ecturt@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 15:51:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206579 Bug ID: 206579 Summary: Multiple vulnerabilities in AMR ioctl handler Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ecturt@gmail.com The `amr_ioctl` handler contains userland dereferences, and no bound checks= on user supplied sizes. The only time where the `addr` is correctly accessed by `copyin` is in the Linux emulation commands, like `0xc06e6d00`: error =3D copyin(addr, &ali, sizeof(ali)); The rest of the commands use a union called `arg` is setup to make incorrec= tly dealing with `addr` easier: union { void *_p; struct amr_user_ioctl *au; #ifdef AMR_IO_COMMAND32 struct amr_user_ioctl32 *au32; #endif int *result; } arg; ... arg._p =3D (void *)addr; The most serious issue is the `AMR_IO_VERSION` command, writing its output directly without using `copyout`: case AMR_IO_VERSION: debug(1, "AMR_IO_VERSION"); *arg.result =3D AMR_IO_VERSION_NUMBER; return(0); The address of this write is completely user controlled, and can be used to write arbitrary kernel memory. Another issue stems from supplying the `AMR_IO_COMMAND` command. A user supplied size will be fetched (without `copyin`): au_length =3D arg.au->au_length; Which is then used by `malloc` and `copyin` without any boundary checks: /* handle inbound data buffer */ real_length =3D amr_ioctl_buffer_length(au_length); dp =3D malloc(real_length, M_AMR, M_WAITOK|M_ZERO); if (au_length !=3D 0 && au_cmd[0] !=3D 0x06) { if ((error =3D copyin(au_buffer, dp, au_length)) !=3D 0) { free(dp, M_AMR); return (error); } debug(2, "copyin %ld bytes from %p -> %p", au_length, au_buffer, dp= ); } On FreeBSD 9, we could abuse the 32bit size truncation in `uma_large_malloc= ` to get a heap overflow from this. On later versions, allocating large sizes can probably only be used to DoS the system. --=20 You are receiving this mail because: You are the assignee for the bug.=