Date: Wed, 24 Feb 2016 17:13:42 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-stable@FreeBSD.org Subject: [Bug 207463] [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS) buffer overflow Message-ID: <bug-207463-8075@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207463 Bug ID: 207463 Summary: [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETAD DRS) buffer overflow Product: Base System Version: 10.3-BETA2 Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: paul@inetstat.net CC: freebsd-stable@FreeBSD.org Keywords: patch Created attachment 167367 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D167367&action= =3Dedit stable/10/sys/netpfil/pf/pf_ioctl.c patch While investigating bug #192677 (pfctl iotcl buffer to small for bigger spa= md blacklists) on releng/10.2, I believe I have spotted a kernel buffer overfl= ow in stable/10/sys/netpfil/pf/pf_ioctl.c / stable/10/sys/netpfil/pf/pf_table.= c, introduced by base r286862 / base r286961. stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS): totlen =3D io->pfrio_size * sizeof(struct pfr_addr); pfras =3D malloc(totlen, M_TEMP, M_WAITOK); stable/10/sys/netpfil/pf/pf_table.c:pfr_set_addrs(): bcopy(&ad, addr + size + i, sizeof(ad)); Inside pfr_set_addrs(), pfioctl()'s "pfras" becomes "addr", "io->pfrio_size" becomes "size", and "io->pfrio_size2" becomes "size2". pfr_set_addrs() uses size2 to protect the buffer just above that bcopy. Looking carefully at stable/10/sys/sbin/pfctl/pfctl_table.c:pfctl_table("replace") and stable/10/sys/sbin/pfctl/pfctl_radix.c:pfr_buf_grow(), io->pfrio_buffer pas= sed into the ioctl is size2. This is theoretical, based on simulating the code mentally. I'm fairly cer= tain that my analysis is correct, but I've not verified it via compiled stable/10 code. The bcopy seems to fairly obviously run off the end of the buffer wh= en it is only "size". The fix should be quite simple, by just changing the bu= ffer to be "size2" in stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS): totlen =3D io->pfrio_size2 * sizeof(struct pfr_addr); Untested patch attached. I believe this applies to both stable/10 and head= . I have tagged it as 10.3-BETA, as that seems to be the places where the more urgent attention is needed, as it would be quite unfortunate for 10.3 to be released with this bug (if my analysis is correct). --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207463-8075>