Date: Sun, 23 Feb 2025 14:52:45 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 284991] buffer overflow in md_sii.c sii_meta_write() Message-ID: <bug-284991-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D284991 Bug ID: 284991 Summary: buffer overflow in md_sii.c sii_meta_write() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #257768 text/plain mime type: Created attachment 257768 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D257768&action= =3Dedit iscsi target that claims sector size is 3 bytes During taste, it's possible for sii_meta_write() to execute: buf =3D malloc(pp->sectorsize, M_MD_SII, M_WAITOK | M_ZERO); memcpy(buf, meta, sizeof(*meta)); If a misbehaving device claims a sectorsize smaller than 512, the memcpy will overflow the allocated buffer, since sizeof(*meta) is 512. I've attached a demo in the form of a fake iscsi target that claims a sector size of 3 at the decisive moment. On a kernel without INVARIANTS: # uname -a FreeBSD 15.0-CURRENT FreeBSD 15.0-CURRENT #490 main-n250999-c0872cef91fc-dirty: Sun Feb 23 08:34:01 EST 2025=20=20=20=20 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # cc iscsi38d.c # ./a.out ... REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xffffffd00cb81= 703 (3 bytes allocated). Allocation backtrace: #0 0xffffffc00078d614 at redzone_setup+0xa0 #1 0xffffffc0004136ae at malloc+0xba #2 0xffffffc0003bf9e8 at sii_meta_write+0x5a #3 0xffffffc0003be76e at g_raid_md_write_sii+0x2a4 #4 0xffffffc0003bf5a6 at g_raid_md_sii_start+0x3a8 #5 0xffffffc0003bd738 at g_raid_md_taste_sii+0x812 #6 0xffffffc00039e15e at $x+0x192 #7 0xffffffc000391488 at g_new_provider_event+0xa2 #8 0xffffffc00038c658 at g_run_events+0x120 #9 0xffffffc00038ebc0 at g_event_procbody+0x58 #10 0xffffffc0003f88dc at fork_exit+0x68 #11 0xffffffc0007efd7a at fork_trampoline+0xa Free backtrace: #0 0xffffffc00078d9de at redzone_check+0x344 #1 0xffffffc0004146fc at free_dbg+0x5c #2 0xffffffc0004134c6 at free+0x1c #3 0xffffffc0003bfac0 at sii_meta_write+0x132 #4 0xffffffc0003be76e at g_raid_md_write_sii+0x2a4 #5 0xffffffc0003bf5a6 at g_raid_md_sii_start+0x3a8 #6 0xffffffc0003bd738 at g_raid_md_taste_sii+0x812 #7 0xffffffc00039e15e at $x+0x192 #8 0xffffffc000391488 at g_new_provider_event+0xa2 #9 0xffffffc00038c658 at g_run_events+0x120 #10 0xffffffc00038ebc0 at g_event_procbody+0x58 #11 0xffffffc0003f88dc at fork_exit+0x68 #12 0xffffffc0007efd7a at fork_trampoline+0xa panic: Stopping here. On a kernel with INVARIANTS, it panics in g_io_request(): KASSERT(bp->bio_offset % cp->provider->sectorsize =3D=3D 0,= =20=20=20=20=20=20 ("wrong offset %jd for sectorsize %u",=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 bp->bio_offset, cp->provider->sectorsize)); --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-284991-227>