Date: Thu, 24 Aug 2023 12:46:05 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 273328] [Security] Array index error in sys/dev/iir/iir.c Message-ID: <bug-273328-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273328 Bug ID: 273328 Summary: [Security] Array index error in sys/dev/iir/iir.c Product: Base System Version: 13.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: thresh416@outlook.com Branch stable/13, releng/13.0, releng/13.1, releng/13.2 What is the security issue or vulnerability? Array index error may occur in int gdt_read_event (int handle,gdt_evt_str *estr) in sys/dev/iir/iir.c. If handle is set as a negative integer but not -1, it will be passed to ein= dex , which is used in e =3D &ebuffer[eindex]; at line 1862, which results in an array index error. However, handle isn't constrained by any caller of this function. The vulnerability bears similarity to CVE-2009-3080, which means it may cau= se a denial of service or possibly gain privileges via a negative event index in= an IOCTL request. Security issue or vulnerability information CVE-2009-3080's description:https://nvd.nist.gov/vuln/detail/CVE-2009-3080 CVE-2009-3080's patch commit:https://github.com/torvalds/linux/commit/690e744869f3262855b83b4fb59= 199cf142765b0 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273328-227>