hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-23 14:11:13 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Impose a limit on the number of GEOM_CTL arguments.

Browse Source 
Otherwise a privileged user can trigger a memory allocation of
unbounded size, or an integer overflow in the subsequent
geom_alloc_copyin() call, leading to out-of-bounds accesses.

Hard-code a large limit to circumvent this problem.

admbug:		854
Reported by:	Anonymous of the Shellphish Grill Team
Reviewed by:	ae
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D19251
This commit is contained in:
Mark Johnston 2019-02-19 21:22:22 +00:00
parent b1ece24388
commit 60a92c781d
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=344305
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/geom/geom_ctl.c
View File

@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req)
char *p;
u_int i;
if (req->narg > 2048) {
gctl_error(req, "too many arguments");
req->arg = NULL;
return;
}
ap = geom_alloc_copyin(req, req->arg, req->narg * sizeof(*ap));
if (ap == NULL) {
gctl_error(req, "bad control request");