Bug 206584

Summary: Possible integer overflow in update_intel
Product: Base System Reporter: CTurt <ecturt>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: kib, secteam
Priority: --- Keywords: needs-qa, security
Version: CURRENTFlags: koobs: mfc-stable10?
koobs: mfc-stable9?
Hardware: Any   
OS: Any   

Description CTurt 2016-01-24 17:11:20 UTC
Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`:

	 * 16 byte alignment required.  Rely on the fact that
	 * malloc(9) always returns the pointer aligned at least on
	 * the size of the allocation.
	ptr = malloc(args->size + 16, M_CPUCTL, M_WAITOK);
	if (copyin(args->data, ptr, args->size) != 0) {

If `args->size` is user controlled, it could be prepared to overflow when adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buffer overflow from the `copyin` call.
Comment 1 CTurt 2016-01-24 17:16:20 UTC
Sorry, my bad.

It is checked right here:

    if (args->size > UCODE_SIZE_MAX) {

I'll spend more time analysing before reporting in the future.