Date: Sat, 30 Jan 2016 09:33:55 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206754] Out of bounds negative array index in iicrdwr Message-ID: <bug-206754-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206754 Bug ID: 206754 Summary: Out of bounds negative array index in iicrdwr Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: cturt@hardenedbsd.org `iicrdwr` in `/sys/dev/iicbus/iic.c` incorrectly handles iteration over buf= fer. Firstly, no bound checks are supplied on the user controlled `d->nmsgs`. This field is declared as type `uint32_t`, in `struct iic_rdwr_data` (`sys/dev/iicbus/iic.h`): struct iic_rdwr_data { struct iic_msg *msgs; uint32_t nmsgs; }; However, the `i` variable in this function is declared as a `signed int`: int error, i; When `i` iterates over buffers, since it is `signed`, it can wrap around to= a negative value, for example here: for (i =3D 0; i < d->nmsgs; i++) { m =3D &(buf[i]); usrbufs[i] =3D m->buf; And here: for (i =3D 0; i < d->nmsgs; i++) { m =3D &(buf[i]); if ((error =3D=3D 0) && (m->flags & IIC_M_RD)) error =3D copyout(m->buf, usrbufs[i], m->len); free(m->buf, M_IIC); } `i` will be converted to `unsigned` type for the conversion, however, will still be `signed` when indexing `buf`. This would result in a read out of bounds of the `buf` allocation. This situation seems unlikely to be triggerable, because the code would wait for `buf` allocation to succeed (`M_WAITOK`): buf =3D malloc(sizeof(*d->msgs) * d->nmsgs, M_IIC, M_WAITOK); Which would be unlikely to succeed if `d->nmsgs` is something like `0x80000001`. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206754-8>