Date: Fri, 20 May 2016 13:44:55 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-amd64@FreeBSD.org Subject: [Bug 209661] amd64_set_ioperm overflow Message-ID: <bug-209661-6@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D209661 Bug ID: 209661 Summary: amd64_set_ioperm overflow Product: Base System Version: 11.0-CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org CC: freebsd-amd64@FreeBSD.org CC: freebsd-amd64@FreeBSD.org The privileged `sysarch` handler, `amd64_set_ioperm`, performs an incorrect bound check on user arguments supplied to it. The `uap->start + uap->length > ...` check can be bypassed if the two user controlled values overflow when added together. For example, `uap->start =3D 0xffffffff` and `uap->len =3D 1` will overflow= to 0 when added together, which will bypass the check. Later on, there is a signed array index with a loop starting from `uap->sta= rt`. If `uap->start` is negative, this would index `iomap` negatively. sys/amd64/amd64/sys_machdep: int amd64_set_ioperm(td, uap) struct thread *td; struct i386_ioperm_args *uap; { int i, error; char *iomap; struct amd64tss *tssp; struct system_segment_descriptor *tss_sd; struct pcb *pcb; if ((error =3D priv_check(td, PRIV_IO)) !=3D 0) return (error); if ((error =3D securelevel_gt(td->td_ucred, 0)) !=3D 0) return (error); if (uap->start + uap->length > IOPAGES * PAGE_SIZE * NBBY) return (EINVAL); ... for (i =3D uap->start; i < uap->start + uap->length; i++) { if (uap->enable) iomap[i >> 3] &=3D ~(1 << (i & 7)); else iomap[i >> 3] |=3D (1 << (i & 7)); } return (error); } --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-209661-6>