[Bug 266136] ctl_ioctl() passes user-supplied size directly to kernel malloc() -> potential crash

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 266136] ctl_ioctl() passes user-supplied size directly to kernel malloc() -> potential crash"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 07 Sep 2022 02:08:32 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266136

--- Comment #3 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=0586be48a97c5af50ba4f578d33211f81cc57016

commit 0586be48a97c5af50ba4f578d33211f81cc57016
Author:     Alexander Motin <mav@FreeBSD.org>
AuthorDate: 2022-09-07 01:58:27 +0000
Commit:     Alexander Motin <mav@FreeBSD.org>
CommitDate: 2022-09-07 01:58:27 +0000

    CTL: Validate IOCTL parameters.

    It was possible to cause kernel panic by passing too large args_len
    or non-NULL result_nvl.

    Though since the /dev/cam/ctl device is accessible only by root and
    used only by limited number of tools it was not a big problem.

    PR:     266115
    PR:     266136
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    MFC after:      1 week

 sys/cam/ctl/ctl.c       | 14 ++++++++++++++
 sys/cam/ctl/ctl_ioctl.h |  1 +
 2 files changed, 15 insertions(+)

-- 
You are receiving this mail because:
You are the assignee for the bug.