[Bug 290992] Denial of Service in `quot` via Improper Input Validation in `donames()` (`-n` mode)

Wed, 12 Nov 2025 20:19:16 -0800 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290992

            Bug ID: 290992
           Summary: Denial of Service in `quot` via Improper Input
                    Validation in `donames()` (`-n` mode)
           Product: Base System
           Version: 14.3-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: bin
          Assignee: [email protected]
          Reporter: [email protected]

Title: Denial of Service in `quot` via Improper Input Validation in `donames()`
(`-n` mode)

Affected Software:
- Utility: quot (disk usage reporting tool in BSD systems)
- File: usr.sbin/quot/quot.c
- Function: donames()
- Likely affected: FreeBSD, NetBSD, OpenBSD, and other BSD derivatives shipping
quot

Vulnerability Type:
- CWE-20: Improper Input Validation
- CWE-704: Incorrect Type Conversion or Cast

Summary:
The quot utility, when executed with the -n flag to process a list of inodes
from standard input, fails to properly handle negative values. The function
donames() reads input using `scanf("%ju", &inode)`, which implicitly converts
negative values like `-1` into large unsigned values (e.g.,
18446744073709551615).

If this value exceeds the max inode limit (`maxino`), the code triggers a
return statement, aborting all further processing. As a result, valid entries
following the malformed input are never processed.

Impact:
- Denial of Service (DoS) by halting inode analysis early
- Suppression of valid user accounting
- Potential to skew disk usage reporting

CVSS v3.1 Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Base Score: 6.1 (Medium)

Steps to Reproduce (PoC):

1. Create UFS image:

dd if=/dev/zero of=ufs.img bs=1M count=50
mdconfig -a -t vnode -f ufs.img -u 0
newfs -U /dev/md0
mount /dev/md0 /mnt
touch /mnt/file1 /mnt/file2
umount /mnt

2. Trigger the bug:

printf "1\n2\n-1\n3\n4\n" | quot -n /dev/md0

Expected Output:

/dev/md0:
root
quot: illegal inode 18446744073709551615

Result: Entries "3" and "4" are not processed due to premature return.

Root Cause:

scanf("%ju", &inode); // Negative numbers parsed as large unsigned ints

if (inode > maxino) {
    warnx("illegal inode %ju", inode);
    return;  // Halts processing, breaking expected flow
}

Credits:
Author: Igor Gabriel Sousa e Souza
Email: [email protected]
LinkedIn: https://www.linkedin.com/in/igo0r

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to