Date: Sun, 24 Jan 2016 13:44:32 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206573] Improper userland pointer handling in aacraid Message-ID: <bug-206573-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206573 Bug ID: 206573 Summary: Improper userland pointer handling in aacraid Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: misc Assignee: freebsd-bugs@FreeBSD.org Reporter: ecturt@gmail.com The `aac_ioctl_send_raw_srb` function can be reached by supplying the `FSACTL_LNX_SEND_RAW_SRB` command to `aac_ioctl`. This code path dereferenc= es a user supplied pointer directly: static int aac_ioctl_send_raw_srb(struct aac_softc *sc, caddr_t arg) { struct aac_srb *user_srb =3D (struct aac_srb *)arg; ... if ((error =3D copyin((void *)user_srb, srbcmd, fibsize) !=3D 0))=20 goto out; ... struct aac_sg_entry *sgp =3D srbcmd->sg_map.SgEntry; ... srb_sg_bytecount =3D sgp->SgByteCount; ... } `srbcmd` has user controlled contents (after `copyin` from `user_srb`). `sgp` is set to a user controlled address (`srbcmd->sg_map.SgEntry`). `sgp` is then dereferenced numerous times (`sgp->SgByteCount`). One impact of this improper handling is that `sgp` could be `NULL`, which w= ould result in a `NULL` dereference, and panic. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206573-8>