HomeFreeBSD

Add a bounds check to the tws(4) passthrough ioctl handler.

Description

Add a bounds check to the tws(4) passthrough ioctl handler.

tws_passthru() was doing a copyin of a user-specified request
without validating its length, so a malicious request could overrun
the buffer. By default, the tws(4) device file is only accessible
as root.

admbug: 825
Reported by: Anonymous of the Shellphish Grill Team
Reviewed by: delphij
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D18536

Details

Provenance
markjAuthored on Jan 5 2019, 3:28 PM
Parents
rGa9f7119bb8dd: With buggy int13 ah=15, we can mis-identify the floppy devices.
Branches
Unknown
Tags
Unknown

Event Timeline