NetBSD Problem Report #58652

From riastradh@netbsd.org  Wed Aug 28 16:17:57 2024
Return-Path: <riastradh@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 2C6061A9245
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 28 Aug 2024 16:17:57 +0000 (UTC)
Message-Id: <20240828161755.BE16A1A9247@mollari.NetBSD.org>
Date: Wed, 28 Aug 2024 16:17:55 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: riastradh@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: libnv: Integer overflow and buffer overrun vulnerabilities
X-Send-Pr-Version: 3.95

>Number:         58652
>Category:       security
>Synopsis:       libnv: Integer overflow and buffer overrun vulnerabilities
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    security-officer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Aug 28 16:20:00 +0000 2024
>Closed-Date:    Mon Oct 14 00:44:08 +0000 2024
>Last-Modified:  Mon Oct 14 00:44:08 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The NvBSD Founda[1]   Segmentation fault (core dumped)
>Environment:
>Description:

	1. nvlist_recv computes sizeof(nvlhdr) + nvlhdr.nvlh_size to
	   size a buffer for data-controlled nvlhdr.nvlh_size without
	   checking any bound first, potentially leading to integer
	   overflow and a buffer overrun with an unexpectedly small
	   buffer size.

	   (Note: Nothing in NetBSD uses nvlist_recv.)

   1328 	if (buf_recv(sock, &nvlhdr, sizeof(nvlhdr)) == -1)
   1329 		return (NULL);
   1330 
   1331 	if (!nvlist_check_header(&nvlhdr))
   1332 		return (NULL);
   1333 
   1334 	nfds = (size_t)nvlhdr.nvlh_descriptors;
   1335 	size = sizeof(nvlhdr) + (size_t)nvlhdr.nvlh_size;
   1336 
   1337 	buf = nv_malloc(size);

https://nxr.netbsd.org/xref/src/sys/external/bsd/libnv/dist/nvlist.c?r=1.8#1328

	2. nvlist_recv computes nfds * sizeof(fds[0]) to size a buffer,
	   for data-controlled nfds without checking any bound first,
	   potentially leading to integer overflow and a buffer overrun
	   with an unexpectedly small buffer size.

	   (Note: Nothing in NetBSD uses nvlist_recv.)

   1350 		fds = nv_malloc(nfds * sizeof(fds[0]));

https://nxr.netbsd.org/xref/src/sys/external/bsd/libnv/dist/nvlist.c?r=1.8#1350

	3. nvlist_unpack strdups a NUL-terminated string without first
	   verifying that it is NUL-terminated within its bounds,
	   potentially leading it to read past the end of an array in
	   kernel memory and copy it into a destination buffer.  This
	   could expose secret kernel memory and/or crash the kernel.

	   This can be triggered by ioctl(IOC_NPF_*) on /dev/npf, even
	   at securelevel 1 (though not securelevel 2), and I don't see
	   any workaround.

   1006 	size = nvp->nvp_datasize;
   1007 	tmp = (const char *)ptr;
   1008 	for (ii = 0; ii < nvp->nvp_nitems; ii++) {
   1009 		len = strnlen(tmp, size - 1) + 1;
   1010 		size -= len;
   1011 		if (size < 0) {
   1012 			ERRNO_SET(EINVAL);
   1013 			return (NULL);
   1014 		}
   1015 		tmp += len;
   1016 	}
   1017 	if (size != 0) {
   1018 		ERRNO_SET(EINVAL);
   1019 		return (NULL);
   1020 	}
   1021 
   1022 	value = nv_malloc(sizeof(*value) * nvp->nvp_nitems);
   1023 	if (value == NULL)
   1024 		return (NULL);
   1025 
   1026 	for (ii = 0; ii < nvp->nvp_nitems; ii++) {
   1027 		value[ii] = nv_strdup((const char *)ptr);

https://nxr.netbsd.org/xref/src/sys/external/bsd/libnv/dist/nvpair.c?r=1.11#1006

	4. Various other calls to nv_malloc are fed the output of
	   unchecked integer multiplication.  And our nv_calloc doesn't
	   check for integer overflow.

	   (These do not appear to be exploitable in NetBSD but they
	   may be in FreeBSD.)

>How-To-Repeat:
	code inspection

>Fix:
	incoming

>Release-Note:

>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 4 Sep 2024 12:56:47 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Wed Sep  4 12:56:47 UTC 2024

 Modified Files:
 	src/sys/external/bsd/libnv/dist: nvlist.c

 Log Message:
 libnv: Refuse nonsensically large header size in nvlist_check_header.

 This avoids potential integer overflow in nvlist_recv, which is not
 used in NetBSD.  The only other user of nvlist_check_header is
 nvlist_unpack_header, which verifies the header sizes matches the
 framing and so is not affected by integer overflow.

 Matches upstream FreeBSD change by Mariusz Zaborski
 <oshogbo@FreeBSD.org>.

 CVE-2024-45287

 PR security/58652: libnv: Integer overflow and buffer overrun
 vulnerabilities


 To generate a diff of this commit:
 cvs rdiff -u -r1.8 -r1.9 src/sys/external/bsd/libnv/dist/nvlist.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 4 Sep 2024 12:57:00 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Wed Sep  4 12:57:00 UTC 2024

 Modified Files:
 	src/sys/external/bsd/libnv/dist: nv_kern_netbsd.c nvlist.c nvpair.c

 Log Message:
 libnv: Avoid arithmetic overflow in array allocation.

 1. Teach nv_calloc and nv_strdup to detect arithmetic overflow.
 2. Convert nv_malloc(sizeof(...) * N) to nv_calloc(N, sizeof(...)).

 I reviewed all the remaining nv_malloc calls, because some of them
 have the multiplication separated from the nv_malloc call.  Of the
 remaining callers:

 - nv_calloc (now) checks for overflow
 - nv_strdup (now) checks for overflow
 - nvlist_create uses a fixed sizeof(...) without arithmetic
 - nvlist_xpack doesn't directly check bounds, but as long as the wire
   format is smaller than the in-memory size, that's not a problem
 - nvlist_recv checks for sizeof(nvlhdr) + nvlhdr.nvlh_size overflow
 - nvpair_unpack_binary uses nvp->nvp_datasize without arithmetic
 - nvpair_unpack_bool_array checks for unsigned overflow
 - nvpair_unpack_number_array checks for unsigned overflow
 - nvpair_unpack_descriptor_array checks for unsigned overflow
 - nvpair_create_binary uses caller-supplied size without arithmetic

 Matches upstream FreeBSD change by Mariusz Zaborski
 <oshogbo@FreeBSD.org>.

 CVE-2024-45287

 PR security/58652: libnv: Integer overflow and buffer overrun
 vulnerabilities


 To generate a diff of this commit:
 cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
 cvs rdiff -u -r1.9 -r1.10 src/sys/external/bsd/libnv/dist/nvlist.c
 cvs rdiff -u -r1.11 -r1.12 src/sys/external/bsd/libnv/dist/nvpair.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 4 Sep 2024 12:57:10 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Wed Sep  4 12:57:10 UTC 2024

 Modified Files:
 	src/sys/external/bsd/libnv/dist: nvpair.c

 Log Message:
 libnv: Check for NUL within bounds when unpacking string arrays.

 This avoids buffer overrun in the subsequent nv_strdup, which can be
 triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.

 Matches upstream FreeBSD change by Mariusz Zaborski
 <oshogbo@FreeBSD.org>.

 CVE-2024-45288

 PR security/58652: libnv: Integer overflow and buffer overrun
 vulnerabilities


 To generate a diff of this commit:
 cvs rdiff -u -r1.12 -r1.13 src/sys/external/bsd/libnv/dist/nvpair.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58652 CVS commit: [netbsd-10] src/sys/external/bsd/libnv/dist
Date: Thu, 5 Sep 2024 10:03:32 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Sep  5 10:03:32 UTC 2024

 Modified Files:
 	src/sys/external/bsd/libnv/dist [netbsd-10]: nvpair.c

 Log Message:
 Pull up following revision(s) (requested by riastradh in ticket #820):

 	sys/external/bsd/libnv/dist/nvpair.c: revision 1.13

 libnv: Check for NUL within bounds when unpacking string arrays.

 This avoids buffer overrun in the subsequent nv_strdup, which can be
 triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.

 Matches upstream FreeBSD change by Mariusz Zaborski.

 CVE-2024-45288

 PR security/58652: libnv: Integer overflow and buffer overrun
 vulnerabilities


 To generate a diff of this commit:
 cvs rdiff -u -r1.11 -r1.11.28.1 src/sys/external/bsd/libnv/dist/nvpair.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58652 CVS commit: [netbsd-9] src/sys/external/bsd/libnv/dist
Date: Thu, 5 Sep 2024 10:12:31 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Thu Sep  5 10:12:31 UTC 2024

 Modified Files:
 	src/sys/external/bsd/libnv/dist [netbsd-9]: nvpair.c

 Log Message:
 Pull up following revision(s) (requested by riastradh in ticket #1885):

 	sys/external/bsd/libnv/dist/nvpair.c: revision 1.13

 libnv: Check for NUL within bounds when unpacking string arrays.

 This avoids buffer overrun in the subsequent nv_strdup, which can be
 triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.

 Matches upstream FreeBSD change by Mariusz Zaborski.

 CVE-2024-45288

 PR security/58652: libnv: Integer overflow and buffer overrun
 vulnerabilities


 To generate a diff of this commit:
 cvs rdiff -u -r1.11 -r1.11.2.1 src/sys/external/bsd/libnv/dist/nvpair.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 11 Sep 2024 15:01:11 +0000

 Module Name:	src
 Committed By:	riastradh
 Date:		Wed Sep 11 15:01:11 UTC 2024

 Modified Files:
 	src/sys/external/bsd/libnv/dist: nvlist.c

 Log Message:
 libnv: Fix pointer/struct confusion in bounds check.

 No impact to NetBSD because the path where this bounds check matters
 is not used in NetBSD.

 Matches upstream FreeBSD change by Mariusz Zaborski
 <oshogbo@FreeBSD.org>.

 CVE-2024-45287

 PR security/58652: libnv: Integer overflow and buffer overrun
 vulnerabilities


 To generate a diff of this commit:
 cvs rdiff -u -r1.10 -r1.11 src/sys/external/bsd/libnv/dist/nvlist.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 14 Oct 2024 00:44:08 +0000
State-Changed-Why:
fixed, and the important changes have been pulled up to 9 and 10


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.