Bug 273328

Summary: [Security] Array index error in sys/dev/iir/iir.c
Product: Base System Reporter: ChenHao Lu <thresh416>
Component: kernAssignee: Ed Maste <emaste>
Status: Closed FIXED    
Severity: Affects Many People CC: emaste
Priority: ---    
Version: 13.2-STABLE   
Hardware: Any   
OS: Any   

Description ChenHao Lu 2023-08-24 12:46:05 UTC 
Branch
stable/13, releng/13.0, releng/13.1, releng/13.2

What is the security issue or vulnerability?
Array index error may occur in int gdt_read_event (int handle,gdt_evt_str *estr) in sys/dev/iir/iir.c.
If handle is set as a negative integer but not -1, it will be passed to eindex , which is used in e = &ebuffer[eindex]; at line 1862, which results in an array index error. However, handle isn't constrained by any caller of this function.
The vulnerability bears similarity to CVE-2009-3080, which means it may cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.

Security issue or vulnerability information
CVE-2009-3080's description:https://nvd.nist.gov/vuln/detail/CVE-2009-3080
CVE-2009-3080's patch commit:https://github.com/torvalds/linux/commit/690e744869f3262855b83b4fb59199cf142765b0
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-08-28 20:05:59 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b5a5a06fc012d27c6937776bff8469ea465c3873

commit b5a5a06fc012d27c6937776bff8469ea465c3873
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-08-28 03:38:30 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-08-28 19:37:09 +0000

    iir: prevent negative offsets in ioctl

    Direct commit to stable/13 as this driver has been removed from main in
    commit 399188a2c60c ("iir: Remove").

    PR:             273328
    Reported by:    ChenHao Lu
    Sponsored by:   The FreeBSD Foundation

 sys/dev/iir/iir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 ChenHao Lu 2023-08-29 02:35:15 UTC 
Should we apply for a CVE for this security problem?
Comment 3 ChenHao Lu 2023-08-29 06:04:00 UTC 
*** Bug 273173 has been marked as a duplicate of this bug. ***
Comment 4 commit-hook freebsd_committer freebsd_triage 2023-09-09 15:18:53 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=e4e41b39a4dc22a31c7d239ca1ac29bdd6c10b47

commit e4e41b39a4dc22a31c7d239ca1ac29bdd6c10b47
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-08-28 03:38:30 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-09-09 15:16:19 +0000

    iir: prevent negative offsets in ioctl

    MFS of direct commit to stable/13 as this driver has been removed from
    main in commit 399188a2c60c ("iir: Remove").

    PR:             273328
    Reported by:    ChenHao Lu
    Sponsored by:   The FreeBSD Foundation

    (cherry picked from commit b5a5a06fc012d27c6937776bff8469ea465c3873)

 sys/dev/iir/iir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Ed Maste freebsd_committer freebsd_triage 2023-09-09 15:35:39 UTC 
Applied to stable/13 and stable/12, thanks for the report.