https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207463
Bug ID: 207463 Summary: [patch] stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETAD DRS) buffer overflow Product: Base System Version: 10.3-BETA2 Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: p...@inetstat.net CC: freebsd-sta...@freebsd.org Keywords: patch Created attachment 167367 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=167367&action=edit stable/10/sys/netpfil/pf/pf_ioctl.c patch While investigating bug #192677 (pfctl iotcl buffer to small for bigger spamd blacklists) on releng/10.2, I believe I have spotted a kernel buffer overflow in stable/10/sys/netpfil/pf/pf_ioctl.c / stable/10/sys/netpfil/pf/pf_table.c, introduced by base r286862 / base r286961. stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS): totlen = io->pfrio_size * sizeof(struct pfr_addr); pfras = malloc(totlen, M_TEMP, M_WAITOK); stable/10/sys/netpfil/pf/pf_table.c:pfr_set_addrs(): bcopy(&ad, addr + size + i, sizeof(ad)); Inside pfr_set_addrs(), pfioctl()'s "pfras" becomes "addr", "io->pfrio_size" becomes "size", and "io->pfrio_size2" becomes "size2". pfr_set_addrs() uses size2 to protect the buffer just above that bcopy. Looking carefully at stable/10/sys/sbin/pfctl/pfctl_table.c:pfctl_table("replace") and stable/10/sys/sbin/pfctl/pfctl_radix.c:pfr_buf_grow(), io->pfrio_buffer passed into the ioctl is size2. This is theoretical, based on simulating the code mentally. I'm fairly certain that my analysis is correct, but I've not verified it via compiled stable/10 code. The bcopy seems to fairly obviously run off the end of the buffer when it is only "size". The fix should be quite simple, by just changing the buffer to be "size2" in stable/10/sys/netpfil/pf/pf_ioctl.c:pfioctl(DIOCRSETADDRS): totlen = io->pfrio_size2 * sizeof(struct pfr_addr); Untested patch attached. I believe this applies to both stable/10 and head. I have tagged it as 10.3-BETA, as that seems to be the places where the more urgent attention is needed, as it would be quite unfortunate for 10.3 to be released with this bug (if my analysis is correct). -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"