d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Impose a limit on the number of GEOM_CTL arguments.

Browse Source 
Otherwise a privileged user can trigger a memory allocation of
unbounded size, or an integer overflow in the subsequent
geom_alloc_copyin() call, leading to out-of-bounds accesses.

Hard-code a large limit to circumvent this problem.

admbug:		854
Reported by:	Anonymous of the Shellphish Grill Team
Reviewed by:	ae
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D19251
This commit is contained in:
markj 2019-02-19 21:22:22 +00:00
parent 2fa70908ad
commit 467f20b505
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/geom/geom_ctl.c
View File

@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req)
char *p;
u_int i;
if (req->narg > 2048) {
gctl_error(req, "too many arguments");
req->arg = NULL;
return;
}
ap = geom_alloc_copyin(req, req->arg, req->narg * sizeof(*ap));
if (ap == NULL) {
gctl_error(req, "bad control request");