From nobody Tue Oct 25 13:10:36 2022
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MxXP86cp9z4fSgw
	for <bugs@mlmmj.nyi.freebsd.org>; Tue, 25 Oct 2022 13:10:36 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MxXP84htlz3lL5
	for <bugs@FreeBSD.org>; Tue, 25 Oct 2022 13:10:36 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MxXP83m4szdZc
	for <bugs@FreeBSD.org>; Tue, 25 Oct 2022 13:10:36 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 29PDAas6037881
	for <bugs@FreeBSD.org>; Tue, 25 Oct 2022 13:10:36 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 29PDAaTR037880
	for bugs@FreeBSD.org; Tue, 25 Oct 2022 13:10:36 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 267334] ng_parse_composite() passes length to malloc() without
 check
Date: Tue, 25 Oct 2022 13:10:36 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rtm@lcs.mit.edu
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
 attachments.mimetype attachments.created
Message-ID: <bug-267334-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1666703436;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=p9cxqeIl/cRl70NZY3GfDpQ8HkRopREHowR1pn3sr3U=;
	b=vxwbA+Th8m+Zwy7/BYY8MRK12M0IHKAISEYmgYD7dWB7aZfK0zh+kTK/KbzYew95rj9/RQ
	vKwkUxGnUSIEqrypxBE7qvJHqyny39iXb9ykrTYtF9X9TIq4Hdw3oKSlpTtvykp3uhsLVV
	cxwJiUvZJjzfPGknIKlXE857ND6mblblP5SLNOSV9JkJZIqrglFpXtNyFo053/n5XDv4EI
	yVB5wY9C4zuBwOHEo5Co2Bck/E07uZSkGXqHdidX8pMBYEYNppYPoreSvE4jAsU7zviC2j
	PBjVWBJlqIcnC0udsrLVVJyadYYAviYsQrLeebTSBjYfkRbxf/rYf0e+zjF6+A==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666703436; a=rsa-sha256; cv=none;
	b=vnWE7gQFozC3FnOC6OD+WlE1U8KR1tuJeW14LXoV+4dODq94OSK/Mr4NDZXzdDQD6b63Z0
	fTcD1IwO66oynXI5Ir9to8fmvziEsqW4FKyBg8hUJCxK3jNBusiS+ooqPy4pLukwTW5JDL
	NQS066tuTDKbzpH8fKSMHTfv9Uj8SbaSHU/STnSynztvpwclRIYmV+uLK1jzzMSvq7gKcx
	JTcOS0VcuKmfT5ofANkOpY8eVeU9uWRcY/AE6M1UdnyuBRBrCxJimO4mygM4yuhR/zByTK
	NqDy2acrmFIqbdbx0s8ixRBGVr9IDbhge6vY/Bs62gbzUvMLgz4XpwqmVzf55g==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D267334

            Bug ID: 267334
           Summary: ng_parse_composite() passes length to malloc() without
                    check
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #237614 text/plain
         mime type:

Created attachment 237614
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D237614&action=
=3Dedit
provoke a crash in netgraph ng_parse_composite()

In netgraph/ng_parse.c's ng_parse_composite():

        const int num =3D ng_get_composite_len(type, start, buf, ctype);
        ...;
        foff =3D malloc(num * sizeof(*foff), M_NETGRAPH_PARSE, M_NOWAIT |
M_ZERO);

ng_get_composite_len() reads num from the message, and it's used
without a sanity check. If it's negative, malloc() either page
faults or (with INVARIANTS) fails MPASS(size > 0).

I've attached a demo that triggers the crash with an NGM_BINARY2ASCII
NGM_LISTNAMES control message:

# cc ng12a.c -lnetgraph
# ./a.out
panic: Fatal page fault at 0xffffffc000340f48: 0x27fffd000807460
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1d6
do_trap_supervisor() at do_trap_supervisor+0x74
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval =3D 0x27fffd000807460
vmem_alloc() at vmem_alloc+0x76
kmem_malloc_domain() at kmem_malloc_domain+0x52
kmem_malloc_domainset() at kmem_malloc_domainset+0x36
malloc_large() at malloc_large+0x2a
malloc() at malloc+0xf8
ng_parse_composite() at ng_parse_composite+0x64
ng_array_getDefault() at ng_array_getDefault+0x24
ng_get_composite_elem_default() at ng_get_composite_elem_default+0x74
ng_unparse_composite() at ng_unparse_composite+0x17e
ng_struct_unparse() at ng_struct_unparse+0x42
ng_unparse() at ng_unparse+0x30
ng_generic_msg() at ng_generic_msg+0x96e
ng_apply_item() at ng_apply_item+0xf6
ng_snd_item() at ng_snd_item+0x1bc
ngc_send() at ngc_send+0x260
sosend_generic() at sosend_generic+0x384
sosend() at sosend+0x68
kern_sendit() at kern_sendit+0x170
sendit() at sendit+0x9c
sys_sendto() at sys_sendto+0x40
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xf6
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (133, FreeBSD ELF64, sys_sendto)

--=20
You are receiving this mail because:
You are the assignee for the bug.=