Page MenuHomeFreeBSD
Differential D26637

kldxref: Avoid buffer overflows in parse_pnp_list
ClosedPublic
Actions

Authored by jrtc27 on Oct 2 2020, 4:02 AM.
Tags
None
Referenced Files
Unknown Object (File)
Feb 23 2024, 10:52 AM
Unknown Object (File)
Jan 12 2024, 7:00 AM
Unknown Object (File)
Jan 1 2024, 10:45 PM
Unknown Object (File)
Dec 31 2023, 11:16 AM
Unknown Object (File)
Dec 20 2023, 6:15 AM
Unknown Object (File)
Dec 3 2023, 12:49 PM
Unknown Object (File)
Dec 3 2023, 12:49 PM
Unknown Object (File)
Dec 3 2023, 12:49 PM
View All 27 Files
Subscribers
None

Details

Reviewers
brooks
emaste
imp
jhb
kib
Commits
rS366736: kldxref: Avoid buffer overflows in parse_pnp_list
Summary

We convert a string like "W32:vendor/device" into "I:vendor;I:device",
where the output is longer than the input, but only allocate space equal
to the length of the input, leading to a buffer overflow.

Instead use open_memstream so we get a safe dynamically-grown buffer.

Found by: CHERI
Obtained from: CheriBSD

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jrtc27 requested review of this revision.Oct 2 2020, 4:02 AM
jrtc27 created this revision.
Harbormaster completed remote builds in B33942: Diff 77766.Oct 2 2020, 4:02 AM
imp accepted this revision.Oct 2 2020, 4:10 AM

It would be better to just ignore this entry on errors... However, we don't do that for others, so that would be a stretch goal.

I'd originally thought this was safe since all strings were shorter, but this one clearly isn't... So I like your solution better.

usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

It would be better to just ignore this module in this case.

This revision is now accepted and ready to land.Oct 2 2020, 4:10 AM
kib added inline comments.Oct 2 2020, 10:10 AM
usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

I think a vitally important data to print for user is the kld name that is causing troubles. At least, the file can be removed and kldxref re-run.

jrtc27 added inline comments.Oct 2 2020, 4:14 PM
usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

I think a vitally important data to print for user is the kld name that is causing troubles. At least, the file can be removed and kldxref re-run.

The same is true for all the other errors in this function and others like record_buf and record_string, as well as everything that calls check. Ideally the error reporting would be overhauled, but the file name is not currently available here so that change would be more invasive (and would only fix one of the many problems). Plus if you get one of these cryptic errors you can run it with -v to see what file it choked on.

jrtc27 added inline comments.Oct 2 2020, 4:16 PM
usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

Well, check itself is a bit dodgy (a hidden break on error) but not inherently problematic, except that parse_entry's return value is never consulted. Lots of issues here if you want good error reporting.

jhb added a comment.Oct 2 2020, 4:16 PM

I would suggest using open_memstream() and let it auto-grow the buffer. You would only need a single error check at the point of fclose().

jrtc27 updated this revision to Diff 78176.Oct 13 2020, 6:10 PM

Use open_memstream instead of a fixed buffer size

This revision now requires review to proceed.Oct 13 2020, 6:10 PM
Harbormaster completed remote builds in B34135: Diff 78176.Oct 13 2020, 6:10 PM
jhb accepted this revision.Oct 13 2020, 6:18 PM
This revision is now accepted and ready to land.Oct 13 2020, 6:18 PM
jrtc27 edited the summary of this revision. (Show Details)Oct 13 2020, 6:39 PM
imp accepted this revision.Oct 13 2020, 6:46 PM

Looks good to me. Beats using sbuf since it is more portable

jrtc27 updated this revision to Diff 78178.Oct 13 2020, 6:47 PM

Avoid shadowing existing char type[8]

The code was correct but it's confusing.

This revision now requires review to proceed.Oct 13 2020, 6:47 PM
Harbormaster completed remote builds in B34137: Diff 78178.Oct 13 2020, 6:47 PM
This revision was not accepted when it landed; it landed in state Needs Review.Oct 15 2020, 6:03 PM
Closed by commit rS366736: kldxref: Avoid buffer overflows in parse_pnp_list (authored by jrtc27). · Explain Why
This revision was automatically updated to reflect the committed changes.
jrtc27 added a commit: rS366736: kldxref: Avoid buffer overflows in parse_pnp_list.

Revision Contents
Changeset List

PathSize
head/
usr.sbin/
kldxref/
45 lines

Diff 78273

View Options

head/usr.sbin/kldxref/kldxref.c

Loading...