mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-02 08:42:48 +00:00
Code Issues Releases Activity
Mirror of the FreeBSD src repository https://git.FreeBSD.org/src.git .
230,575 Commits 337 Branches 3,545 Tags 2 GiB
C 59.5%
C++ 26.7%
Roff 4.9%
Shell 2.9%
Assembly 1.7%
Other 3.8%
2b08b42bae
Go to file
David Bright 2b08b42bae iconv uses strlen directly on user supplied memory 
`iconv_sysctl_add` from `sys/libkern/iconv.c` incorrectly limits the
size of user strings, such that several out of bounds reads could have
been possible.

static int
iconv_sysctl_add(SYSCTL_HANDLER_ARGS)
{
	struct iconv_converter_class *dcp;
	struct iconv_cspair *csp;
	struct iconv_add_in din;
	struct iconv_add_out dout;
	int error;

	error = SYSCTL_IN(req, &din, sizeof(din));
	if (error)
		return error;
	if (din.ia_version != ICONV_ADD_VER)
		return EINVAL;
	if (din.ia_datalen > ICONV_CSMAXDATALEN)
		return EINVAL;
	if (strlen(din.ia_from) >= ICONV_CSNMAXLEN)
		return EINVAL;
	if (strlen(din.ia_to) >= ICONV_CSNMAXLEN)
		return EINVAL;
	if (strlen(din.ia_converter) >= ICONV_CNVNMAXLEN)
		return EINVAL;
...

Since the `din` struct is directly copied from userland, there is no
guarantee that the strings supplied will be NULL terminated. The
`strlen` calls could continue reading past the designated buffer
sizes.

Declaration of `struct iconv_add_in` is found in `sys/sys/iconv.h`:

struct iconv_add_in {
	int	ia_version;
	char	ia_converter[ICONV_CNVNMAXLEN];
	char	ia_to[ICONV_CSNMAXLEN];
	char	ia_from[ICONV_CSNMAXLEN];
	int	ia_datalen;
	const void *ia_data;
};

Our strings are followed by the `ia_datalen` member, which is checked
before the `strlen` calls:

if (din.ia_datalen > ICONV_CSMAXDATALEN)

Since `ICONV_CSMAXDATALEN` has value `0x41000` (and is `unsigned`),
this ensures that `din.ia_datalen` contains at least 1 byte of 0, so
it is not possible to trigger a read out of bounds of the `struct`
however, this code is fragile and could introduce subtle bugs in the
future if the `struct` is ever modified.

PR:		207302
Submitted by:	CTurt <cturt@hardenedbsd.org>
Reported by:	CTurt <cturt@hardenedbsd.org>
Reviewed by:	jhb, vangyzen
MFC after:	1 week
Sponsored by:	Dell EMC
Differential Revision:	https://reviews.freebsd.org/D14521
2018-02-26 18:23:36 +00:00
bin Capsicumize uuidgen. 2018-02-17 12:32:53 +00:00
cddl Consistent casing for fallback SIGCHLD (s/Unknown/unknown/) 2018-02-26 00:04:21 +00:00
contrib Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to 2018-02-25 13:20:32 +00:00
crypto Add declaration of SSL_get_selected_srtp_profile() for OpenSSL. 2018-01-25 23:38:05 +00:00
etc Add tests for lagg(4) and other cloned network interfaces 2018-02-23 18:18:42 +00:00
gnu Remove libreadline from the source tree, all consumers but gdb 2018-02-06 12:22:42 +00:00
include Vendor import of llvm release_60 branch r325932: 2018-02-24 21:27:30 +00:00
kerberos5 various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
lib Fix typo. 2018-02-26 18:06:15 +00:00
libexec Fix gettytab(5) to document f0, f1, and f2 as unsupported; they've been gone 2018-02-26 17:51:18 +00:00
release Put the pine64 root filesystem on teh correct partition. 2018-02-16 16:22:54 +00:00
rescue Avoid referencing private lib names directly. 2017-11-10 07:53:02 +00:00
sbin route(8): make it possible to manually delete pinned route 2018-02-24 21:25:56 +00:00
secure Remove c_rehash(1) to not confuse users. We do not install the Perl script. 2018-02-08 19:55:03 +00:00
share style.lua(9): Add some additional notes about naming and commas 2018-02-26 04:55:08 +00:00
stand libsa: Move MAXWAIT from net.h to net.c 2018-02-26 18:14:37 +00:00
sys iconv uses strlen directly on user supplied memory 2018-02-26 18:23:36 +00:00
targets Remove libreadline from the source tree, all consumers but gdb 2018-02-06 12:22:42 +00:00
tests Add tests for lagg(4) and other cloned network interfaces 2018-02-23 18:18:42 +00:00
tools lua-lint: Add note about luacheck in ports, silence warning 2018-02-22 15:29:57 +00:00
usr.bin .Xr rctl(8) and cpuset(1). 2018-02-26 18:04:17 +00:00
usr.sbin Delete copypasta 2018-02-23 17:20:53 +00:00
.arcconfig callsign isn't required anymore 2016-09-29 06:19:45 +00:00
.arclint arc lint: ignore /tests/ in chmod 2017-12-19 03:38:06 +00:00
.gitattributes .git*: add gitattributes and gitignore 2017-12-25 21:07:54 +00:00
.gitignore .git*: add gitattributes and gitignore 2017-12-25 21:07:54 +00:00
COPYRIGHT Happy New Year 2018 my friends! 2017-12-31 16:48:04 +00:00
LOCKS Explicitly require Security Officer's approval for kernel PRNG bits. 2013-09-17 14:19:05 +00:00
MAINTAINERS Add MAINTAINERS note for lualoader (stand/lua, specifically) 2018-02-26 04:33:05 +00:00
Makefile Add a note about why we have the conditional before including 2018-02-07 16:28:26 +00:00
Makefile.inc1 Allow CROSS_TOOLCHAIN to be a path to a file. 2018-02-25 20:21:30 +00:00
Makefile.libcompat X_COMPILER_* may not be defined. 2018-01-24 18:08:37 +00:00
Makefile.sys.inc AUTO_OBJ: For all top-level targets enforce using an OBJDIR. 2017-12-05 21:29:47 +00:00
ObsoleteFiles.inc Move devmatch to sbin from usr/sbin. 2018-02-12 14:44:21 +00:00
README Vendor import of less v530. 2018-02-19 04:47:31 +00:00
README.md Document the sys/boot -> stand move in hier.7 and the top-level README. 2017-12-03 20:36:36 +00:00
UPDATING Add Lua as a scripting langauge to /boot/loader 2018-02-12 15:31:53 +00:00

README.md

FreeBSD Source:

This is the top level of the FreeBSD source directory. This file was last revised on: FreeBSD

For copyright information, please see the file COPYRIGHT in this directory (additional copyright information also exists for some sources in this tree - please see the specific source directories for more information).

The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7) and https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html for more information, including setting make(1) variables.

The buildkernel and installkernel targets build and install the kernel and the modules (see below). Please see the top of the Makefile in this directory for more information on the standard build targets and compile-time flags.

Building a kernel is a somewhat more involved process. See build(7), config(8), and https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html for more information.

Note: If you want to build and install the kernel with the buildkernel and installkernel targets, you might need to build world before. More information is available in the handbook.

The kernel configuration files reside in the sys/<arch>/conf sub-directory. GENERIC is the default configuration used in release builds. NOTES contains entries and documentation for all possible devices, not just those commonly used.

Source Roadmap:

bin				System/user commands.

cddl			Various commands and libraries under the Common Development  
				and Distribution License.

contrib			Packages contributed by 3rd parties.

crypto			Cryptography stuff (see crypto/README).

etc				Template files for /etc.

gnu				Various commands and libraries under the GNU Public License.  
				Please see gnu/COPYING* for more information.

include			System include files.

kerberos5		Kerberos5 (Heimdal) package.

lib				System libraries.

libexec			System daemons.

release			Release building Makefile & associated tools.

rescue			Build system for statically linked /rescue utilities.

sbin			System commands.

secure			Cryptographic libraries and commands.

share			Shared resources.

stand			Boot loader sources.

sys				Kernel sources.

tests			Regression tests which can be run by Kyua.  See tests/README
				for additional information.

tools			Utilities for regression testing and miscellaneous tasks.

usr.bin			User commands.

usr.sbin		System administration commands.

For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html