Page MenuHomeFreeBSD
Differential D51615

hastd: Fix nv data size check
ClosedPublic
Actions

Authored by des on Jul 29 2025, 6:01 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 10, 5:26 AM
Unknown Object (File)
Fri, Oct 10, 5:26 AM
Unknown Object (File)
Fri, Oct 10, 5:26 AM
Unknown Object (File)
Fri, Oct 10, 5:26 AM
Unknown Object (File)
Fri, Oct 10, 5:26 AM
Unknown Object (File)
Thu, Oct 9, 11:57 PM
Unknown Object (File)
Mon, Sep 22, 3:02 AM
Unknown Object (File)
Sat, Sep 20, 5:39 PM
View All 32 Files
Subscribers
imp
markj

Details

Reviewers
pjd
markj
Commits
rGebd7ad28151b: hastd: Fix nv data size check
rG62df4a7dd8e0: hastd: Fix nv data size check
rG3caee2a93f23: hastd: Fix nv data size check
Summary

The data size check, as currently written, can be defeated by providing
a very large number that rounds up to 0, which will pass the check
(because zero plus the size of the header and name is smaller than the
size of the message) but cause a segfault later when used to index the
data array.

Rewrite the data size check to take rounding into account, and add a
cast to ensure the name size can't round up to zero.

MFC after: 1 week
PR: 266827

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

des created this revision.Jul 29 2025, 6:01 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 29 2025, 6:01 PM
des requested review of this revision.Jul 29 2025, 6:01 PM
Harbormaster completed remote builds in B65830: Diff 159411.Jul 29 2025, 6:01 PM
markj added a subscriber: markj.Aug 4 2025, 5:15 PM
markj added inline comments.
sbin/hastd/nv.c
250–251

Isn't it still possible to have roundup2(dsize, 8) < size - NVH_HSIZE(nvh) even if the newly added check passes? Will that cause problems when ptr and size are adjusted at the end of the loop?

des added inline comments.Aug 4 2025, 5:28 PM
sbin/hastd/nv.c
250–251

You're right, if dsize is smaller than size - NVH_SIZE(nvh) but rounds up to something larger, then size ends up wrapping around.

des updated this revision to Diff 159716.Aug 4 2025, 5:29 PM

better

Harbormaster completed remote builds in B65949: Diff 159716.Aug 4 2025, 5:29 PM
des marked an inline comment as done.Aug 4 2025, 5:29 PM
markj accepted this revision.Aug 4 2025, 5:37 PM

I think this patch fixes the problem at hand, but see the inline comment.

sbin/hastd/nv.c
231

NVH_HSIZE() also has a problem if roundup2(nvh->nvh_namesize, 8) == 0, I think.

This revision is now accepted and ready to land.Aug 4 2025, 5:37 PM
des added inline comments.Aug 5 2025, 8:14 AM
sbin/hastd/nv.c
231

I'm tempted to just put a hard limit of INT_MAX on both nvh_namesize and nvh_dsize...

231

that won't be enough on 32-bit platforms though :(

des edited the summary of this revision. (Show Details)Aug 5 2025, 9:19 AM
des marked an inline comment as done.
des updated this revision to Diff 159747.Aug 5 2025, 9:20 AM

namesize

This revision now requires review to proceed.Aug 5 2025, 9:20 AM
Harbormaster completed remote builds in B65964: Diff 159747.Aug 5 2025, 9:20 AM
markj accepted this revision.Aug 5 2025, 12:50 PM
This revision is now accepted and ready to land.Aug 5 2025, 12:50 PM
Closed by commit rG3caee2a93f23: hastd: Fix nv data size check (authored by des). · Explain WhyAug 6 2025, 1:51 PM
This revision was automatically updated to reflect the committed changes.
des added a commit: rG3caee2a93f23: hastd: Fix nv data size check.
des added a commit: rG62df4a7dd8e0: hastd: Fix nv data size check.Aug 14 2025, 4:04 PM
des added a commit: rGebd7ad28151b: hastd: Fix nv data size check.

Revision Contents
Changeset List

PathSize
sbin/
hastd/
9 lines

Diff 159860

View Options

sbin/hastd/nv.c

Loading...