Bug 206584 - Possible integer overflow in update_intel
Summary: Possible integer overflow in update_intel
Status: Closed Works As Intended
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
Keywords: needs-qa, security
Depends on:
Reported: 2016-01-24 17:11 UTC by CTurt
Modified: 2016-01-24 17:26 UTC (History)
2 users (show)

See Also:
koobs: mfc-stable10?
koobs: mfc-stable9?


Note You need to log in before you can comment on or make changes to this bug.
Description CTurt 2016-01-24 17:11:20 UTC
Code path `cpuctl_ioctl` -> `cpuctl_do_update` -> `update_intel`:

	 * 16 byte alignment required.  Rely on the fact that
	 * malloc(9) always returns the pointer aligned at least on
	 * the size of the allocation.
	ptr = malloc(args->size + 16, M_CPUCTL, M_WAITOK);
	if (copyin(args->data, ptr, args->size) != 0) {

If `args->size` is user controlled, it could be prepared to overflow when adding 16, resulting in an allocation of 0 - 15 bytes or so, and a huge buffer overflow from the `copyin` call.
Comment 1 CTurt 2016-01-24 17:16:20 UTC
Sorry, my bad.

It is checked right here:

    if (args->size > UCODE_SIZE_MAX) {

I'll spend more time analysing before reporting in the future.