Bug 238486 - Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c
Summary: Possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/sys...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
Keywords: needs-qa, security
Depends on:
Reported: 2019-06-11 07:48 UTC by Young
Modified: 2020-07-11 02:40 UTC (History)
1 user (show)

See Also:
koobs: mfc-stable12?
koobs: mfc-stable11?

Proposed patch (922 bytes, patch)
2019-06-11 07:48 UTC, Young
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Young 2019-06-11 07:48:37 UTC
Created attachment 204976 [details]
Proposed patch

There is a possible buffer overflow bug in sc_allocate_keyboard() of sys/dev/syscons/syscons.c.

                k0 = kbd_get_keyboard(idx0);

                for (idx = kbd_find_keyboard2("*", -1, 0);
                     idx != -1;
                     idx = kbd_find_keyboard2("*", -1, idx + 1)) {
                        k = kbd_get_keyboard(idx);

                        if (idx == idx0 || KBD_IS_BUSY(k))

                        bzero(&ki, sizeof(ki));
                        strcpy(ki.kb_name, k->kb_name);
                        ki.kb_unit = k->kb_unit;

                        (void)kbdd_ioctl(k0, KBADDKBD, (caddr_t) &ki);

We should use strncpy to copy into a fixed-size buffer instead of strcpy().

The attachment is the proposed patch.