Bug 238486 - Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c
Summary: Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/sys...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2019-06-11 07:48 UTC by Young
Modified: 2023-07-31 02:35 UTC (History)
2 users (show)

See Also:
koobs: mfc-stable12?
koobs: mfc-stable11?

Attachments
Proposed patch (922 bytes, patch)
2019-06-11 07:48 UTC, Young 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Young 2019-06-11 07:48:37 UTC 
Created attachment 204976 [details]
Proposed patch

There is a possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c.

                k0 = kbd_get_keyboard(idx0);

                for (idx = kbd_find_keyboard2("*", -1, 0);
                     idx != -1;
                     idx = kbd_find_keyboard2("*", -1, idx + 1)) {
                        k = kbd_get_keyboard(idx);

                        if (idx == idx0 || KBD_IS_BUSY(k))
                                continue;

                        bzero(&ki, sizeof(ki));
                        strcpy(ki.kb_name, k->kb_name);
                        ki.kb_unit = k->kb_unit;

                        (void)kbdd_ioctl(k0, KBADDKBD, (caddr_t) &ki);
                }

We should use strncpy to copy into a fixed-size buffer instead of strcpy().

The attachment is the proposed patch.
Comment 1 Greg Becker 2023-07-31 02:35:46 UTC 
FWIW, it appears there is a similar issue at sys/dev/kbd/kbd.c:230 in function kbd_register().

Is there any downside to using a truncated name?

Also, is there any reason not to use strlcpy()?