Date: Sun, 24 Jan 2016 17:57:25 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206585] hpt_set_info possible buffer overflow Message-ID: <bug-206585-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206585 Bug ID: 206585 Summary: hpt_set_info possible buffer overflow Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: ecturt@gmail.com In `hpt_status` -> `hpt_set_info`, `nOutBufferSize` and `nInBufferSize` are checked at the same time, but not individually: if (piop->nInBufferSize+piop->nOutBufferSize > PAGE_SIZE) { KdPrintE(("User buffer too large\n")); return -EINVAL; } Before performing a kernel allocation: ke_area =3D malloc(piop->nInBufferSize+piop->nOutBufferSize, M_DEVBUF, M_NO= WAIT); However, the sizes are later used individually for some copies: if (piop->nInBufferSize) copyin((void*)(ULONG_PTR)piop->lpInBuffer, ke_area, piop->nInBufferSize); ... if (piop->nOutBufferSize) copyout(ke_area + piop->nInBufferSize, (void*)(ULONG_PTR)piop->lpOutBuffer, piop->nOutBufferSize); It might be possible for `nInBufferSize`, or `outBufferSize`, or both, to be large enough for `piop->nInBufferSize+piop->nOutBufferSize` to overflow and= be less than `PAGE_SIZE`. In this situation the copy calls would result in a heap overflow. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206585-8>