From nobody Thu May 12 09:23:39 2022
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1FAD01AD31C8
	for <bugs@mlmmj.nyi.freebsd.org>; Thu, 12 May 2022 09:23:41 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KzRCw5rB0z3Qlb
	for <bugs@FreeBSD.org>; Thu, 12 May 2022 09:23:40 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A86763A99
	for <bugs@FreeBSD.org>; Thu, 12 May 2022 09:23:40 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 24C9NeYw066373
	for <bugs@FreeBSD.org>; Thu, 12 May 2022 09:23:40 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 24C9NegY066372
	for bugs@FreeBSD.org; Thu, 12 May 2022 09:23:40 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 263934] buffer overflow in ffs_sbget() if superblock fields are
 broken
Date: Thu, 12 May 2022 09:23:39 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: Unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.created
Message-ID: <bug-263934-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1652347420;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zqLwzqelrPMe7lX6DI/1ouj5MzOMd4ftXtPUINgHynU=;
	b=EkGAVSS7xLn0kCpHApbx5G+IRvA7J5ytAcqclfx7fq5U26XXSHwI1g+OKrPSxpO9bRIz7y
	UVO4stNqmvE5M0ZQsJGnbcrAaSkhlBCOwGUKe5KW/ei4oAAteqgaUGbyQZa7lCjt1IEJk9
	/pfvFQlYyKhDYCOmnzThCTTxAP3hVNRCmQAt9INAnbhFChnA8Tqh8uvS1hkWi8fhPgLnzs
	pd8XC3kicyFfjXrBf1yD+K9SdMaxftwABm7o5q7ZqQv697V+KRmisS+9Y+CrU7pf/fCSEo
	1m1t570jGG2urx/8csnoSStmzQsKKBhW0vIzTBuL+F5DKAwhzcdGj3aJhosE4g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1652347420; a=rsa-sha256; cv=none;
	b=MjmQOoDjej6Hacli/FXBY9RUZPAdO6OAxl0D236udbStVxCszc3N2gZ7zQgRYiszRoegLl
	vf5mAQCKi6SvyMsmY7Lob3DXPFP0254ykkI3PmKcdpdCB0fX/2uwazt7uzBU8g3O+peb2w
	vz9wQCIJJzjcit4pmTY1n0JpVR9w3msB88ycaYlBTL6J1wXdv9gi/itcgZHMKNe0zlC2A7
	2ylmrabs5ESTCXIHrVAW2U+bjjslWC53wb/oj2wReC1e2SjQiRGZfQz3x1NtZFgqy4nUeY
	ILdt9Udf7ibZcYxjeaRrmhiCankgln+VhrO4OXpymw3Dxn9UaRBkx3dsEZDT+w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263934

            Bug ID: 263934
           Summary: buffer overflow in ffs_sbget() if superblock fields
                    are broken
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 233866
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D233866&action=
=3Dedit
a disk image that causes a buffer overflow during tasting, due to unexpected
FFS superblock content

ffs_sbget() allocates fs->fs_cssize bytes to hold fs_csp:

        size =3D fs->fs_cssize;
        ...
        if ((space =3D UFS_MALLOC(size, filltype, M_WAITOK)) =3D=3D NULL) {

but it can copy a whole fragment into that space:

        for (i =3D 0; i < blks; i +=3D fs->fs_frag) {
                ...;
                        size =3D (blks - i) * fs->fs_fsize;
                ...;
                error =3D (*readfunc)(devfd,
                    dbtob(fsbtodb(fs, fs->fs_csaddr + i)), (void **)&buf,
size);
                ...;
                memcpy(space, buf, size);

If fs_cssize is smaller than fs_fsize, the memcpy() can write
attacker-supplied bytes beyond the end of space.

I've attached a disk image containing garbage that looks enough like
FFS for taste to proceed, with fs_cssize =3D 16 and fs_fsize =3D 5120.

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #224
main-n250919-29f81bc20825-dirty: Thu May 12 04:42:56 EDT 2022=20=20=20=20
rtm@zika:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# mdconfig -f taste6b.img
Memory modified after free 0xffffffd000852b40(24) val=3Dffffffff @
0xffffffd000852b40=20=20=20
panic: Fatal page fault at 0xffffffc00051b2b0: 0xffffffff00000070
cpuid =3D 0
time =3D 1651916658
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x16e
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1aa
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval =3D 0xffffffff00000070
mtrash_ctor() at mtrash_ctor+0x86
item_ctor() at item_ctor+0xa0
cache_alloc_item() at cache_alloc_item+0x5a
uma_zalloc_arg() at uma_zalloc_arg+0x58
uma_zalloc() at uma_zalloc+0x10
malloc() at malloc+0x80
ffs_sbget() at ffs_sbget+0x1e8
g_label_ufs_taste_common() at g_label_ufs_taste_common+0x6c
g_label_ufs_volume_taste() at g_label_ufs_volume_taste+0xe
g_label_taste() at g_label_taste+0x198
g_new_provider_event() at g_new_provider_event+0xb8
one_event() at one_event+0x106
g_run_events() at g_run_events+0x8a
g_event_procbody() at g_event_procbody+0x56
fork_exit() at fork_exit+0x80
fork_trampoline() at fork_trampoline+0xa
KDB: enter: panic
[ thread pid 13 tid 100017 ]
Stopped at      breakpoint+0xa: c.ldsp  s0,0(sp)
db>

--=20
You are receiving this mail because:
You are the assignee for the bug.=