265385 – lib9p's l9p_puqids() can write beyond the end of qids[]

Bug 265385 - lib9p's l9p_puqids() can write beyond the end of qids[]

Summary: lib9p's l9p_puqids() can write beyond the end of qids[]

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bhyve (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Mark Johnston

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-07-22 15:01 UTC by Robert Morris
Modified:	2022-08-09 20:02 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Morris 2022-07-22 15:01:46 UTC

When a 9P server sends an L9P_RWALK reply, it specifies the number of
qids enclosed as a 16-bit number. l9p_puqids() unpacks the specified
number of qids into its qids argument, which is the wqid element of a
struct l9p_f_rwalk:

  struct l9p_f_rwalk {
        struct l9p_hdr hdr;
        uint16_t nwqid;
        struct l9p_qid wqid[L9P_MAX_WELEM];
  };

#define L9P_MAX_WELEM   256

l9p_puqids() doesn't check the server's number against this maximum:

static ssize_t
l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
{
        size_t i, lim;
        ssize_t ret, r;

        r = l9p_pu16(msg, num);

        if (r > 0) {
                for (i = 0, lim = *num; i < lim; i++) {
                        ret = l9p_puqid(msg, &qids[i]);
                        if (ret < 0)
                                return (-1);
                        r += ret;
                }
        }
        return (r);
}

So if a malicious or enthusiastic server sends back more than 256
qids, the client will write them beyond the end of wqid[].

Comment 1 Robert Morris 2022-07-22 21:53:19 UTC

A bhyve guest may be able to trigger this overflow in the bhyve host.

Comment 2 Mark Johnston freebsd_committer

2022-07-25 14:01:56 UTC

Jakub, do you have some time to look at this?

Comment 3 Mark Johnston freebsd_committer

2022-07-25 15:23:41 UTC

https://reviews.freebsd.org/D35907

I'll echo a question from the review here: does fs_walk() have a similar problem in that it doesn't validate twalk.nwname?

Comment 4 commit-hook freebsd_committer

2022-08-08 16:54:04 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=2dd83b3f0507fc7bc64b908fb88f285a3b9663c8

commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-08 16:50:43 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    PR:             265385
    Reviewed by:    markj
    MFC after:      1 day
    Differential Revision:  https://reviews.freebsd.org/D35907

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

Comment 5 commit-hook freebsd_committer

2022-08-09 13:34:07 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c536045c51da78a85138e963d3b7e13a547713c9

commit c536045c51da78a85138e963d3b7e13a547713c9
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 13:33:14 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    PR:             265385
    Reviewed by:    markj

    (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8)

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

Comment 6 Mark Johnston freebsd_committer

2022-08-09 13:39:28 UTC

Thank you for the report.

Comment 7 commit-hook freebsd_committer

2022-08-09 20:01:16 UTC

A commit in branch releng/13.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=70a2cf7bb2e0010805dde782ce7a1fe325d6f7e2

commit 70a2cf7bb2e0010805dde782ce7a1fe325d6f7e2
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 20:00:03 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    Approved by:    so
    Security:       FreeBSD-SA-22:12.lib9p
    PR:             265385
    Reviewed by:    markj

    (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8)
    (cherry picked from commit c536045c51da78a85138e963d3b7e13a547713c9)

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

Comment 8 commit-hook freebsd_committer

2022-08-09 20:02:18 UTC

A commit in branch releng/13.1 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7dfe949791e764115dda17ec6b21fba2e0a86a2e

commit 7dfe949791e764115dda17ec6b21fba2e0a86a2e
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 20:01:13 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    Approved by:    so
    Security:       FreeBSD-SA-22:12.lib9p
    PR:             265385
    Reviewed by:    markj

    (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8)
    (cherry picked from commit c536045c51da78a85138e963d3b7e13a547713c9)

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)