From nobody Mon Aug 14 12:09:41 2023 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RPY9f3hK2z4qPlb for ; Mon, 14 Aug 2023 12:09:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RPY9d62mXz4dFL for ; Mon, 14 Aug 2023 12:09:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1692014981; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IMyw1PHEdiyRq8P7zVW2nVU9wJOpqXAZa7waRJbmIAI=; b=sjN0Pvf5ZuhtMvrVESSQlzkAZjKj5Pi51EYnbs/KBlmWIFFLDPU8IF3Q3ClnMWJ5Q6SDOB 75eXZNt63MsmxSEeQf6ILAMB/cn5Sqo71blOD5l8GyjV9X+hJtVSwNERLwg81TYAdbYnGH 1KFTERTEcx/wWAR38kvakCLwUtI3bmlry3LUSfrslg1RjuWgz1AeDVeuvOapkysJ3ZLpzP jby0NJKoMRN/PhQ56zb5JzeKaHe4lU5x+8s/Yx//rHnRfv6V6lBTmUt9rdV8H1XywIwZ4a WVODKLsuFdRE8WYkmMr+Qb50wtL2j9gPUge/4x98VsWWztQIihNiPP98xWPmpQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1692014981; a=rsa-sha256; cv=none; b=o0Xfm5dt22xdezzojTZ80n6D41CKQNyGP6KADNkc2lpny5cRwurrTrDiTnikFwvIuNTkwa davgLu9xp/dfGPQXcngnfCxAsnHfg/Puh+ZdL34rujbVY2esccxMYcb4fxkSXiTH2XEhpY UM9C1aWPzeEynYm24wuQwI+kUAV/SWFoAnbeTbknSMRmP+eoqoDtmD6xmSf6m9Pcehi9g8 mzV3HWg9nXEoj9fQUq2uQLhy6DzQJGxKyiRgqs6/uR/7ilv6dGXPwqBT3rlFA6mCPrT7PN E9YgnaTAmPcZHLuwaBKNa/aot5fXT1uq6rxj/amcsapAqFrJwNYOTBxWE6ad/w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RPY9d50chzCnl for ; Mon, 14 Aug 2023 12:09:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 37EC9ffs059866 for ; Mon, 14 Aug 2023 12:09:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 37EC9f8F059865 for bugs@FreeBSD.org; Mon, 14 Aug 2023 12:09:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 273133] corrupt cd9660 disk can overflow cd9660_lookup()'s altname[] buffer Date: Mon, 14 Aug 2023 12:09:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273133 Bug ID: 273133 Summary: corrupt cd9660 disk can overflow cd9660_lookup()'s altname[] buffer Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 244094 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D244094&action= =3Dedit cd9660 image that causes a buffer overflow in cd9660_lookup() I've attached a cd image that causes a kernel stack buffer overflow: # gunzip cd5a.iso.gz # mdconfig cd5a.iso # mount_cd9660 /dev/md0 /mnt # ls -l /mnt/x panic: stack overflow detected; backtrace may be corrupted panic() at panic+0x26 __stack_chk_fail() at __stack_chk_fail+0x14 cd9660_lookup() at cd9660_lookup+0x684 VOP_CACHEDLOOKUP_APV() at VOP_CACHEDLOOKUP_APV+0x32 VOP_CACHEDLOOKUP() at VOP_CACHEDLOOKUP+0x2a vfs_cache_lookup() at vfs_cache_lookup+0x8c VOP_LOOKUP_APV() at VOP_LOOKUP_APV+0x32 VOP_LOOKUP() at VOP_LOOKUP+0x2a vfs_lookup() at vfs_lookup+0x318 namei() at namei+0x198 kern_statat() at kern_statat+0xb6 sys_fstatat() at sys_fstatat+0x1c syscallenter() at syscallenter+0xe0 ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf2 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (552, FreeBSD ELF64, fstatat) What seems to be happening is that cd9660_lookup() passes altname[NAME_MAX=3D255] to cd9660_rrip_getname(), which calls cd9660_rrip_loop(), which ends up calling both cd9660_rrip_altname() and cd9660_rrip_defname(). The call to altname memcpy's wlen=3D250 bytes into ana->outbuf (=3D=3D altname), increases ana->outbuf by 250, but then returns 0: memcpy(ana->outbuf, inbuf, wlen); ana->outbuf +=3D wlen; if (!cont) { ...; } return 0; The return 0 causes cd9660_rrip_loop() to call cd9660_rrip_defname(), which calls isofntrans(), which copies 53 bytes into ana->outbuf, even though there are only 5 byte of space left. --=20 You are receiving this mail because: You are the assignee for the bug.=