[Bug 267334] ng_parse_composite() passes length to malloc() without check

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 25 Oct 2022 13:10:36 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267334

            Bug ID: 267334
           Summary: ng_parse_composite() passes length to malloc() without
                    check
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237614 text/plain
         mime type:

Created attachment 237614
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=237614&action=edit
provoke a crash in netgraph ng_parse_composite()

In netgraph/ng_parse.c's ng_parse_composite():

        const int num = ng_get_composite_len(type, start, buf, ctype);
        ...;
        foff = malloc(num * sizeof(*foff), M_NETGRAPH_PARSE, M_NOWAIT |
M_ZERO);

ng_get_composite_len() reads num from the message, and it's used
without a sanity check. If it's negative, malloc() either page
faults or (with INVARIANTS) fails MPASS(size > 0).

I've attached a demo that triggers the crash with an NGM_BINARY2ASCII
NGM_LISTNAMES control message:

# cc ng12a.c -lnetgraph
# ./a.out
panic: Fatal page fault at 0xffffffc000340f48: 0x27fffd000807460
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x27fffd000807460
vmem_alloc() at vmem_alloc+0x76
kmem_malloc_domain() at kmem_malloc_domain+0x52
kmem_malloc_domainset() at kmem_malloc_domainset+0x36
malloc_large() at malloc_large+0x2a
malloc() at malloc+0xf8
ng_parse_composite() at ng_parse_composite+0x64
ng_array_getDefault() at ng_array_getDefault+0x24
ng_get_composite_elem_default() at ng_get_composite_elem_default+0x74
ng_unparse_composite() at ng_unparse_composite+0x17e
ng_struct_unparse() at ng_struct_unparse+0x42
ng_unparse() at ng_unparse+0x30
ng_generic_msg() at ng_generic_msg+0x96e
ng_apply_item() at ng_apply_item+0xf6
ng_snd_item() at ng_snd_item+0x1bc
ngc_send() at ngc_send+0x260
sosend_generic() at sosend_generic+0x384
sosend() at sosend+0x68
kern_sendit() at kern_sendit+0x170
sendit() at sendit+0x9c
sys_sendto() at sys_sendto+0x40
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (133, FreeBSD ELF64, sys_sendto)

-- 
You are receiving this mail because:
You are the assignee for the bug.