| Summary: | Possible integer overflow in update_intel | ||
|---|---|---|---|
| Product: | Base System | Reporter: | CTurt <ecturt> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed Works As Intended | ||
| Severity: | Affects Only Me | CC: | kib, secteam |
| Priority: | --- | Keywords: | needs-qa, security |
| Version: | CURRENT | Flags: | koobs:
mfc-stable10?
koobs: mfc-stable9? |
| Hardware: | Any | ||
| OS: | Any | ||
Sorry, my bad.
It is checked right here:
if (args->size > UCODE_SIZE_MAX) {
I'll spend more time analysing before reporting in the future.
|
Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`: /* * 16 byte alignment required. Rely on the fact that * malloc(9) always returns the pointer aligned at least on * the size of the allocation. */ ptr = malloc(args->size + 16, M_CPUCTL, M_WAITOK); if (copyin(args->data, ptr, args->size) != 0) { If `args->size` is user controlled, it could be prepared to overflow when adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buffer overflow from the `copyin` call.