https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204097
Bug ID: 204097
Summary: witness_initialize() does not perform bound checking
of witness_count
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
The witness_count sysctl node is of type CTLFLAG_RDTUN, which means it's a
read-only variable, but can be set during boot by creating a
"debug.witness.count" entry in /boot/loader.conf.
The witness_initialize() function of sys/kern/subr_witness.c does not perform
bound checks on witness_count which could lead to integer overflows, and memory
corruption.
The following line from witness_initialize() can cause an overflow, if
witness_count is 2147483647 for example, since a signed comparison is used:
for (i = 0; i < witness_count + 1; i++) {
This means that the w_rmatrix[i] buffers are never allocated, which would lead
to kernel reads and writes from an uninitialized pointer.
A potential fix would be to add the following bound check at the beginning of
the function:
if (witness_count < 0 || witness_count >= 2147483647) {
printf("Invalid witness_count value of %d, setting to 2147483646\n",
witness_count);
witness_count = 2147483646;
}
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
