[Bug 267334] ng_parse_composite() passes length to malloc() without check
Date: Tue, 25 Oct 2022 13:10:36 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267334 Bug ID: 267334 Summary: ng_parse_composite() passes length to malloc() without check Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #237614 text/plain mime type: Created attachment 237614 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237614&action=edit provoke a crash in netgraph ng_parse_composite() In netgraph/ng_parse.c's ng_parse_composite(): const int num = ng_get_composite_len(type, start, buf, ctype); ...; foff = malloc(num * sizeof(*foff), M_NETGRAPH_PARSE, M_NOWAIT | M_ZERO); ng_get_composite_len() reads num from the message, and it's used without a sanity check. If it's negative, malloc() either page faults or (with INVARIANTS) fails MPASS(size > 0). I've attached a demo that triggers the crash with an NGM_BINARY2ASCII NGM_LISTNAMES control message: # cc ng12a.c -lnetgraph # ./a.out panic: Fatal page fault at 0xffffffc000340f48: 0x27fffd000807460 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1d6 do_trap_supervisor() at do_trap_supervisor+0x74 cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval = 0x27fffd000807460 vmem_alloc() at vmem_alloc+0x76 kmem_malloc_domain() at kmem_malloc_domain+0x52 kmem_malloc_domainset() at kmem_malloc_domainset+0x36 malloc_large() at malloc_large+0x2a malloc() at malloc+0xf8 ng_parse_composite() at ng_parse_composite+0x64 ng_array_getDefault() at ng_array_getDefault+0x24 ng_get_composite_elem_default() at ng_get_composite_elem_default+0x74 ng_unparse_composite() at ng_unparse_composite+0x17e ng_struct_unparse() at ng_struct_unparse+0x42 ng_unparse() at ng_unparse+0x30 ng_generic_msg() at ng_generic_msg+0x96e ng_apply_item() at ng_apply_item+0xf6 ng_snd_item() at ng_snd_item+0x1bc ngc_send() at ngc_send+0x260 sosend_generic() at sosend_generic+0x384 sosend() at sosend+0x68 kern_sendit() at kern_sendit+0x170 sendit() at sendit+0x9c sys_sendto() at sys_sendto+0x40 syscallenter() at syscallenter+0xec ecall_handler() at ecall_handler+0x18 do_trap_user() at do_trap_user+0xf6 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (133, FreeBSD ELF64, sys_sendto) -- You are receiving this mail because: You are the assignee for the bug.