[Bug 273328] [Security] Array index error in sys/dev/iir/iir.c

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 273328] [Security] Array index error in sys/dev/iir/iir.c"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 24 Aug 2023 12:46:05 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273328

            Bug ID: 273328
           Summary: [Security] Array index error in sys/dev/iir/iir.c
           Product: Base System
           Version: 13.2-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: thresh416@outlook.com

Branch
stable/13, releng/13.0, releng/13.1, releng/13.2

What is the security issue or vulnerability?
Array index error may occur in int gdt_read_event (int handle,gdt_evt_str
*estr) in sys/dev/iir/iir.c.
If handle is set as a negative integer but not -1, it will be passed to eindex
, which is used in e = &ebuffer[eindex]; at line 1862, which results in an
array index error. However, handle isn't constrained by any caller of this
function.
The vulnerability bears similarity to CVE-2009-3080, which means it may cause a
denial of service or possibly gain privileges via a negative event index in an
IOCTL request.

Security issue or vulnerability information
CVE-2009-3080's description:https://nvd.nist.gov/vuln/detail/CVE-2009-3080
CVE-2009-3080's patch
commit:https://github.com/torvalds/linux/commit/690e744869f3262855b83b4fb59199cf142765b0

-- 
You are receiving this mail because:
You are the assignee for the bug.