NetBSD Problem Report #50026

From www@NetBSD.org  Fri Jul  3 01:26:56 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id DE0B1A654B
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  3 Jul 2015 01:26:55 +0000 (UTC)
Message-Id: <20150703012654.1C6B7A654F@mollari.NetBSD.org>
Date: Fri,  3 Jul 2015 01:26:54 +0000 (UTC)
From: brave_shi@huawei.com
Reply-To: brave_shi@huawei.com
To: gnats-bugs@NetBSD.org
Subject: buffer overflow ipfilter
X-Send-Pr-Version: www-1.0

>Number:         50026
>Category:       security
>Synopsis:       buffer overflow ipfilter
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jul 03 01:30:00 +0000 2015
>Last-Modified:  Sun Nov 10 20:50:01 +0000 2019
>Originator:     Yong Shi
>Release:        6.1.5
>Organization:
Huawei
>Environment:
Code Audit
>Description:
fr_stgettable(char *data)
{
	ipftable_t table;
...
	error = fr_inobj(data, NULL, &table, IPFOBJ_GTABLE);
...
}

int
fr_inobj(void *data, ipfobj_t *objp, void *ptr, int type)
{
...
	} else {
#ifdef	IPFILTER_COMPAT
		error = fr_in_compat(objp, ptr);
#else
		return EINVAL;
#endif
	}

	...
}

int
fr_in_compat(ipfobj_t *obj, void *ptr)
{
...
	case IPFOBJ_NAT :
		if (obj->ipfo_rev >= 4011400) {
			sz = sizeof(nat_4_1_14_t);
		} else if (obj->ipfo_rev >= 4010300) {
			sz = sizeof(nat_4_1_3_t);
		} else {
			break;
		}
		bzero(ptr, sizeof(nat_t));
		error = COPYIN(obj->ipfo_ptr, ptr, sz);
		break;
	}

	return error;
}
Under the function fr_stgettable, the variable table is a local variable, and pass the vairable to the function fr_inobj as a parameter , then pass to the function fr_in_compat as a parameter . However, under the IPFOBJ_NAT case ,the bzero will overwrite the ptr variable with the size of nat_t struct.

>How-To-Repeat:
none
>Fix:
we should clear ptr variable before pass it to the fr_in_compat function .It's a patch ,I don't like. :(

>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: security/50026: buffer overflow ipfilter
Date: Sun, 10 Nov 2019 20:45:58 +0000

 This is still relevant for the current ipfilter code.

 ipf_in_compat(ipf_main_softc_t *softc, ipfobj_t *obj, void *ptr, int size)
 	case IPFOBJ_NAT :
 		if (obj->ipfo_rev >= 4011400) {
 			sz = sizeof(nat_4_1_14_t);
 		} else if (obj->ipfo_rev >= 4010300) {
 			sz = sizeof(nat_4_1_3_t);
 		} else {
 			break;
 		}
 		bzero(ptr, sizeof(nat_t));
 		error = COPYIN(obj->ipfo_ptr, ptr, sz);
 		if (error != 0) {
 			IPFERROR(140039);
 		}
 		break;

 Callers pass a not-sufficiently-wide ipfobj_t.

Home	PR Database Search