Page MenuHomeFreeBSD

kldxref: Avoid buffer overflows in parse_pnp_list
ClosedPublic

Authored by jrtc27 on Oct 2 2020, 4:02 AM.
Tags
None
Referenced Files
F106578207: D26637.id77766.diff
Thu, Jan 2, 3:45 AM
Unknown Object (File)
Sat, Dec 28, 7:10 PM
Unknown Object (File)
Sat, Dec 21, 3:18 AM
Unknown Object (File)
Sat, Dec 21, 2:59 AM
Unknown Object (File)
Sat, Dec 21, 12:20 AM
Unknown Object (File)
Nov 30 2024, 11:43 PM
Unknown Object (File)
Nov 30 2024, 11:43 PM
Unknown Object (File)
Nov 30 2024, 11:42 PM
Subscribers
None

Details

Summary

We convert a string like "W32:vendor/device" into "I:vendor;I:device",
where the output is longer than the input, but only allocate space equal
to the length of the input, leading to a buffer overflow.

Instead use open_memstream so we get a safe dynamically-grown buffer.

Found by: CHERI
Obtained from: CheriBSD

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jrtc27 requested review of this revision.Oct 2 2020, 4:02 AM
jrtc27 created this revision.

It would be better to just ignore this entry on errors... However, we don't do that for others, so that would be a stretch goal.

I'd originally thought this was safe since all strings were shorter, but this one clearly isn't... So I like your solution better.

usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

It would be better to just ignore this module in this case.

This revision is now accepted and ready to land.Oct 2 2020, 4:10 AM
usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

I think a vitally important data to print for user is the kld name that is causing troubles. At least, the file can be removed and kldxref re-run.

usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

I think a vitally important data to print for user is the kld name that is causing troubles. At least, the file can be removed and kldxref re-run.

The same is true for all the other errors in this function and others like record_buf and record_string, as well as everything that calls check. Ideally the error reporting would be overhauled, but the file name is not currently available here so that change would be more invasive (and would only fix one of the many problems). Plus if you get one of these cryptic errors you can run it with -v to see what file it choked on.

usr.sbin/kldxref/kldxref.c
383 ↗(On Diff #77766)

Well, check itself is a bit dodgy (a hidden break on error) but not inherently problematic, except that parse_entry's return value is never consulted. Lots of issues here if you want good error reporting.

I would suggest using open_memstream() and let it auto-grow the buffer. You would only need a single error check at the point of fclose().

Use open_memstream instead of a fixed buffer size

This revision now requires review to proceed.Oct 13 2020, 6:10 PM
This revision is now accepted and ready to land.Oct 13 2020, 6:18 PM

Looks good to me. Beats using sbuf since it is more portable

Avoid shadowing existing char type[8]

The code was correct but it's confusing.

This revision now requires review to proceed.Oct 13 2020, 6:47 PM
This revision was not accepted when it landed; it landed in state Needs Review.Oct 15 2020, 6:03 PM
This revision was automatically updated to reflect the committed changes.