Page MenuHomeFreeBSD
Differential D56342

libnv: fix heap overflow in nvlist_recv()
ClosedPublic
Actions

Authored by oshogbo on Apr 10 2026, 9:28 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Jun 7, 5:41 PM
Unknown Object (File)
Thu, Jun 4, 8:56 PM
Unknown Object (File)
Thu, Jun 4, 12:08 PM
Unknown Object (File)
Thu, Jun 4, 12:08 PM
Unknown Object (File)
Wed, Jun 3, 10:31 AM
Unknown Object (File)
Wed, Jun 3, 5:22 AM
Unknown Object (File)
Mon, May 18, 2:35 AM
Unknown Object (File)
Mon, May 18, 2:27 AM
View All 60 Files
Subscribers
imp

Details

Reviewers
markj
Commits
rGf7f48005fbe2: libnv: fix heap overflow in nvlist_recv()
rG05b91c2a7106: libnv: fix heap overflow in nvlist_recv()
rG4f0992ce23b0: libnv: fix heap overflow in nvlist_recv()
rGaa15809f85de: libnv: fix heap overflow in nvlist_recv()
rG1cbd6e148249: libnv: fix heap overflow in nvlist_recv()
rGb345e07c8d71: libnv: fix heap overflow in nvlist_recv()
rG414e25d7d512: libnv: fix heap overflow in nvlist_recv()
rGe2219bbd634f: libnv: fix heap overflow in nvlist_recv()
Summary

nvlist_check_header() validated nvlh_size for overflow before
performing conversion. An mallicous user can set
NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that
the orginall value passes the check, but after the conversion the
sizeof(nvlist_header) + size can overflow.
This can lead to a heap buffer overflow.

Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 72505
Build 69388: arc lint + arc unit

Event Timeline

oshogbo created this revision.Apr 10 2026, 9:28 AM
Herald added a subscriber: imp. · View Herald TranscriptApr 10 2026, 9:28 AM
oshogbo requested review of this revision.Apr 10 2026, 9:28 AM
Harbormaster completed remote builds in B72100: Diff 175218.Apr 10 2026, 9:28 AM
oshogbo added a reviewer: markj.Apr 10 2026, 9:30 AM
markj added a comment.Apr 10 2026, 11:06 AM

The commit log should include a "Fixes" tag. Presumably it also deserves an SA and a regression test?

oshogbo updated this revision to Diff 175905.Apr 20 2026, 3:23 PM

Thanks for the review markj@

Harbormaster completed remote builds in B72370: Diff 175905.Apr 20 2026, 3:23 PM
oshogbo edited the summary of this revision. (Show Details)Apr 20 2026, 3:24 PM
oshogbo edited the summary of this revision. (Show Details)
markj added inline comments.Apr 20 2026, 3:59 PM
lib/libnv/tests/Makefile
6 ↗(On Diff #175905)

Why make it conditional on ASAN?

8 ↗(On Diff #175905)

Why not just add this test to the existing send_recv_test file?

lib/libnv/tests/nvlist_header_overflow_test.c
2 ↗(On Diff #175905)

Missing an SPDX license identifier.

43 ↗(On Diff #175905)

We should test both the little-endian and big-endian cases.

oshogbo added inline comments.Apr 20 2026, 4:12 PM
lib/libnv/tests/Makefile
6 ↗(On Diff #175905)

Because without ASAN this test will not detect the bug as the heap override is to small. In such case this will give a false-positive that everything works.

This is why I also moved this to separate file.

markj added inline comments.Apr 20 2026, 4:21 PM
lib/libnv/tests/Makefile
6 ↗(On Diff #175905)

The other file has this NO_ASAN hack to accomplish the same goal, so I still don't see why it needs to be a separate file.

I think our tests should be run unconditionally, and we should just run our tests with ASAN enabled by default. One step at a time. The disadvantage of disabling the test when ASAN is not configured is that you don't get any coverage at all. If I run the test suite with UBSAN enabled instead, this test doesn't run, even though it could find a new bug.

oshogbo added inline comments.Apr 20 2026, 4:46 PM
lib/libnv/tests/Makefile
6 ↗(On Diff #175905)

Oh, thats fair point. Somehow I didn't realize we have NO_ASAN already in the test. Thats fair point. I will rewrite this.

oshogbo updated this revision to Diff 176313.Apr 24 2026, 10:42 AM

Add little endian test. Merge files.

Harbormaster completed remote builds in B72505: Diff 176313.Apr 24 2026, 10:42 AM
oshogbo updated this revision to Diff 176314.Apr 24 2026, 10:46 AM

Add Copyright and SPDX.

Harbormaster completed remote builds in B72506: Diff 176314.Apr 24 2026, 10:46 AM
markj accepted this revision.Apr 28 2026, 2:41 PM
This revision is now accepted and ready to land.Apr 28 2026, 2:41 PM
Closed by commit rGe2219bbd634f: libnv: fix heap overflow in nvlist_recv() (authored by oshogbo, committed by markj). · Explain WhyApr 29 2026, 2:47 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGe2219bbd634f: libnv: fix heap overflow in nvlist_recv().
markj added a commit: rG414e25d7d512: libnv: fix heap overflow in nvlist_recv().
markj added a commit: rGb345e07c8d71: libnv: fix heap overflow in nvlist_recv().
markj added a commit: rG1cbd6e148249: libnv: fix heap overflow in nvlist_recv().
markj added a commit: rGaa15809f85de: libnv: fix heap overflow in nvlist_recv().
markj added a commit: rG4f0992ce23b0: libnv: fix heap overflow in nvlist_recv().Apr 29 2026, 2:50 PM
markj added a commit: rG05b91c2a7106: libnv: fix heap overflow in nvlist_recv().
markj added a commit: rGf7f48005fbe2: libnv: fix heap overflow in nvlist_recv().

Revision Contents
Changeset List

PathSize
lib/
libnv/
tests/
54 lines
sys/
contrib/
libnv/
9 lines

Diff 176313

View Options

lib/libnv/tests/nvlist_send_recv_test.c

Loading...
View Options

sys/contrib/libnv/nvlist.c

Loading...