Bug 265385

Summary: lib9p's l9p_puqids() can write beyond the end of qids[]
Product: Base System Reporter: Robert Morris <rtm>
Component: bhyveAssignee: Mark Johnston <markj>
Status: Closed FIXED    
Severity: Affects Some People CC: jceel, markj
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Robert Morris 2022-07-22 15:01:46 UTC 
When a 9P server sends an L9P_RWALK reply, it specifies the number of
qids enclosed as a 16-bit number. l9p_puqids() unpacks the specified
number of qids into its qids argument, which is the wqid element of a
struct l9p_f_rwalk:

  struct l9p_f_rwalk {
        struct l9p_hdr hdr;
        uint16_t nwqid;
        struct l9p_qid wqid[L9P_MAX_WELEM];
  };

#define L9P_MAX_WELEM   256

l9p_puqids() doesn't check the server's number against this maximum:

static ssize_t
l9p_puqids(struct l9p_message *msg, uint16_t *num, struct l9p_qid *qids)
{
        size_t i, lim;
        ssize_t ret, r;

        r = l9p_pu16(msg, num);

        if (r > 0) {
                for (i = 0, lim = *num; i < lim; i++) {
                        ret = l9p_puqid(msg, &qids[i]);
                        if (ret < 0)
                                return (-1);
                        r += ret;
                }
        }
        return (r);
}

So if a malicious or enthusiastic server sends back more than 256
qids, the client will write them beyond the end of wqid[].
Comment 1 Robert Morris 2022-07-22 21:53:19 UTC 
A bhyve guest may be able to trigger this overflow in the bhyve host.
Comment 2 Mark Johnston freebsd_committer freebsd_triage 2022-07-25 14:01:56 UTC 
Jakub, do you have some time to look at this?
Comment 3 Mark Johnston freebsd_committer freebsd_triage 2022-07-25 15:23:41 UTC 
https://reviews.freebsd.org/D35907

I'll echo a question from the review here: does fs_walk() have a similar problem in that it doesn't validate twalk.nwname?
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-08-08 16:54:04 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=2dd83b3f0507fc7bc64b908fb88f285a3b9663c8

commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-08 16:50:43 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    PR:             265385
    Reviewed by:    markj
    MFC after:      1 day
    Differential Revision:  https://reviews.freebsd.org/D35907

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-08-09 13:34:07 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c536045c51da78a85138e963d3b7e13a547713c9

commit c536045c51da78a85138e963d3b7e13a547713c9
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 13:33:14 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    PR:             265385
    Reviewed by:    markj

    (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8)

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)
Comment 6 Mark Johnston freebsd_committer freebsd_triage 2022-08-09 13:39:28 UTC 
Thank you for the report.
Comment 7 commit-hook freebsd_committer freebsd_triage 2022-08-09 20:01:16 UTC 
A commit in branch releng/13.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=70a2cf7bb2e0010805dde782ce7a1fe325d6f7e2

commit 70a2cf7bb2e0010805dde782ce7a1fe325d6f7e2
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 20:00:03 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    Approved by:    so
    Security:       FreeBSD-SA-22:12.lib9p
    PR:             265385
    Reviewed by:    markj

    (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8)
    (cherry picked from commit c536045c51da78a85138e963d3b7e13a547713c9)

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)
Comment 8 commit-hook freebsd_committer freebsd_triage 2022-08-09 20:02:18 UTC 
A commit in branch releng/13.1 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=7dfe949791e764115dda17ec6b21fba2e0a86a2e

commit 7dfe949791e764115dda17ec6b21fba2e0a86a2e
Author:     Konrad Sewiłło-Jopek <kjopek@gmail.com>
AuthorDate: 2022-08-08 16:25:48 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 20:01:13 +0000

    lib9p: Remove potential buffer overwrite in l9p_puqids()

    Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
    and that number actually set the maximum we can safely use.

    Approved by:    so
    Security:       FreeBSD-SA-22:12.lib9p
    PR:             265385
    Reviewed by:    markj

    (cherry picked from commit 2dd83b3f0507fc7bc64b908fb88f285a3b9663c8)
    (cherry picked from commit c536045c51da78a85138e963d3b7e13a547713c9)

 contrib/lib9p/pack.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)