freebsd-dev/sys/libkern
David Bright 2b08b42bae iconv uses strlen directly on user supplied memory
`iconv_sysctl_add` from `sys/libkern/iconv.c` incorrectly limits the
size of user strings, such that several out of bounds reads could have
been possible.

static int
iconv_sysctl_add(SYSCTL_HANDLER_ARGS)
{
	struct iconv_converter_class *dcp;
	struct iconv_cspair *csp;
	struct iconv_add_in din;
	struct iconv_add_out dout;
	int error;

	error = SYSCTL_IN(req, &din, sizeof(din));
	if (error)
		return error;
	if (din.ia_version != ICONV_ADD_VER)
		return EINVAL;
	if (din.ia_datalen > ICONV_CSMAXDATALEN)
		return EINVAL;
	if (strlen(din.ia_from) >= ICONV_CSNMAXLEN)
		return EINVAL;
	if (strlen(din.ia_to) >= ICONV_CSNMAXLEN)
		return EINVAL;
	if (strlen(din.ia_converter) >= ICONV_CNVNMAXLEN)
		return EINVAL;
...

Since the `din` struct is directly copied from userland, there is no
guarantee that the strings supplied will be NULL terminated. The
`strlen` calls could continue reading past the designated buffer
sizes.

Declaration of `struct iconv_add_in` is found in `sys/sys/iconv.h`:

struct iconv_add_in {
	int	ia_version;
	char	ia_converter[ICONV_CNVNMAXLEN];
	char	ia_to[ICONV_CSNMAXLEN];
	char	ia_from[ICONV_CSNMAXLEN];
	int	ia_datalen;
	const void *ia_data;
};

Our strings are followed by the `ia_datalen` member, which is checked
before the `strlen` calls:

if (din.ia_datalen > ICONV_CSMAXDATALEN)

Since `ICONV_CSMAXDATALEN` has value `0x41000` (and is `unsigned`),
this ensures that `din.ia_datalen` contains at least 1 byte of 0, so
it is not possible to trigger a read out of bounds of the `struct`
however, this code is fragile and could introduce subtle bugs in the
future if the `struct` is ever modified.

PR:		207302
Submitted by:	CTurt <cturt@hardenedbsd.org>
Reported by:	CTurt <cturt@hardenedbsd.org>
Reviewed by:	jhb, vangyzen
MFC after:	1 week
Sponsored by:	Dell EMC
Differential Revision:	https://reviews.freebsd.org/D14521
2018-02-26 18:23:36 +00:00
..
arm sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
arm64 arm64: add ".arch armv8-a+crc" to allow use of crc instructions 2017-06-08 20:06:09 +00:00
x86 x86/crc32_sse42.c: quiet unused function warning 2017-08-11 17:05:31 +00:00
arc4random.c Replace the RC4 algorithm for generating in-kernel secure random 2017-04-16 09:11:02 +00:00
ashldi3.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ashrdi3.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
asprintf.c Implement asprintf in libkern 2015-03-01 00:22:16 +00:00
bcd.c Use time_t for intermediate values to avoid overflow in clock_ts_to_ct 2017-01-24 18:05:29 +00:00
bcmp.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
bsearch.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
cmpdi2.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
crc32.c Continuing efforts to provide hardening of FFS, this change adds a 2017-09-22 12:45:15 +00:00
divdi3.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
explicit_bzero.c
ffs.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ffsl.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ffsll.c libkern: ffs, fls: s/4/3/ the 3rd BSD clause 2015-10-22 21:04:47 +00:00
fls.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
flsl.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
flsll.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
fnmatch.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
iconv_converter_if.m
iconv_ucs.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
iconv_xlat16.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
iconv_xlat.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
iconv.c iconv uses strlen directly on user supplied memory 2018-02-26 18:23:36 +00:00
inet_aton.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
inet_ntoa.c Remove inet_ntoa() from the kernel 2017-02-16 20:50:01 +00:00
inet_ntop.c
inet_pton.c
jenkins_hash.c
lshrdi3.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
mcount.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
memcchr.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
memchr.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
memcmp.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
memmem.c libkern: Remove obsolete 'register' keyword 2017-01-12 17:02:29 +00:00
memmove.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
memset.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
moddi3.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
murmur3_32.c
qdivrem.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
qsort_r.c
qsort.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
quad.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
random.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
scanc.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strcasecmp.c spdx: initial adoption of licensing ID tags. 2017-11-18 14:26:50 +00:00
strcat.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strchr.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strcmp.c libkern: use nul for terminating char rather than 0 2018-02-13 19:17:48 +00:00
strcpy.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strcspn.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
strdup.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
strlcat.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
strlcpy.c
strlen.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
strncat.c libkern: use nul for terminating char rather than 0 2018-02-13 19:17:48 +00:00
strncmp.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strncpy.c libkern: use nul for terminating char rather than 0 2018-02-13 19:17:48 +00:00
strndup.c
strnlen.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
strrchr.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strsep.c libkern: use nul for terminating char rather than 0 2018-02-13 19:17:48 +00:00
strspn.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
strstr.c libkern: use nul for terminating char rather than 0 2018-02-13 19:17:48 +00:00
strtol.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strtoq.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strtoul.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strtouq.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
strvalid.c sys/kern: adoption of SPDX licensing ID tags. 2017-11-27 15:20:12 +00:00
timingsafe_bcmp.c Add some new modes to OpenCrypto. These modes are AES-ICM (can be used 2014-12-12 19:56:36 +00:00
ucmpdi2.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
udivdi3.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
umoddi3.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
zlib.c Remove register keyword from sys/ and ANSIfy prototypes 2017-05-17 00:34:34 +00:00