NetBSD Problem Report #58652
From riastradh@netbsd.org Wed Aug 28 16:17:57 2024
Return-Path: <riastradh@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 2C6061A9245
for <gnats-bugs@gnats.NetBSD.org>; Wed, 28 Aug 2024 16:17:57 +0000 (UTC)
Message-Id: <20240828161755.BE16A1A9247@mollari.NetBSD.org>
Date: Wed, 28 Aug 2024 16:17:55 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: riastradh@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: libnv: Integer overflow and buffer overrun vulnerabilities
X-Send-Pr-Version: 3.95
>Number: 58652
>Category: security
>Synopsis: libnv: Integer overflow and buffer overrun vulnerabilities
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: security-officer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Aug 28 16:20:00 +0000 2024
>Closed-Date: Mon Oct 14 00:44:08 +0000 2024
>Last-Modified: Mon Oct 14 00:44:08 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10, 9, ...
>Organization:
The NvBSD Founda[1] Segmentation fault (core dumped)
>Environment:
>Description:
1. nvlist_recv computes sizeof(nvlhdr) + nvlhdr.nvlh_size to
size a buffer for data-controlled nvlhdr.nvlh_size without
checking any bound first, potentially leading to integer
overflow and a buffer overrun with an unexpectedly small
buffer size.
(Note: Nothing in NetBSD uses nvlist_recv.)
1328 if (buf_recv(sock, &nvlhdr, sizeof(nvlhdr)) == -1)
1329 return (NULL);
1330
1331 if (!nvlist_check_header(&nvlhdr))
1332 return (NULL);
1333
1334 nfds = (size_t)nvlhdr.nvlh_descriptors;
1335 size = sizeof(nvlhdr) + (size_t)nvlhdr.nvlh_size;
1336
1337 buf = nv_malloc(size);
https://nxr.netbsd.org/xref/src/sys/external/bsd/libnv/dist/nvlist.c?r=1.8#1328
2. nvlist_recv computes nfds * sizeof(fds[0]) to size a buffer,
for data-controlled nfds without checking any bound first,
potentially leading to integer overflow and a buffer overrun
with an unexpectedly small buffer size.
(Note: Nothing in NetBSD uses nvlist_recv.)
1350 fds = nv_malloc(nfds * sizeof(fds[0]));
https://nxr.netbsd.org/xref/src/sys/external/bsd/libnv/dist/nvlist.c?r=1.8#1350
3. nvlist_unpack strdups a NUL-terminated string without first
verifying that it is NUL-terminated within its bounds,
potentially leading it to read past the end of an array in
kernel memory and copy it into a destination buffer. This
could expose secret kernel memory and/or crash the kernel.
This can be triggered by ioctl(IOC_NPF_*) on /dev/npf, even
at securelevel 1 (though not securelevel 2), and I don't see
any workaround.
1006 size = nvp->nvp_datasize;
1007 tmp = (const char *)ptr;
1008 for (ii = 0; ii < nvp->nvp_nitems; ii++) {
1009 len = strnlen(tmp, size - 1) + 1;
1010 size -= len;
1011 if (size < 0) {
1012 ERRNO_SET(EINVAL);
1013 return (NULL);
1014 }
1015 tmp += len;
1016 }
1017 if (size != 0) {
1018 ERRNO_SET(EINVAL);
1019 return (NULL);
1020 }
1021
1022 value = nv_malloc(sizeof(*value) * nvp->nvp_nitems);
1023 if (value == NULL)
1024 return (NULL);
1025
1026 for (ii = 0; ii < nvp->nvp_nitems; ii++) {
1027 value[ii] = nv_strdup((const char *)ptr);
https://nxr.netbsd.org/xref/src/sys/external/bsd/libnv/dist/nvpair.c?r=1.11#1006
4. Various other calls to nv_malloc are fed the output of
unchecked integer multiplication. And our nv_calloc doesn't
check for integer overflow.
(These do not appear to be exploitable in NetBSD but they
may be in FreeBSD.)
>How-To-Repeat:
code inspection
>Fix:
incoming
>Release-Note:
>Audit-Trail:
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 4 Sep 2024 12:56:47 +0000
Module Name: src
Committed By: riastradh
Date: Wed Sep 4 12:56:47 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist: nvlist.c
Log Message:
libnv: Refuse nonsensically large header size in nvlist_check_header.
This avoids potential integer overflow in nvlist_recv, which is not
used in NetBSD. The only other user of nvlist_check_header is
nvlist_unpack_header, which verifies the header sizes matches the
framing and so is not affected by integer overflow.
Matches upstream FreeBSD change by Mariusz Zaborski
<oshogbo@FreeBSD.org>.
CVE-2024-45287
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/sys/external/bsd/libnv/dist/nvlist.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 4 Sep 2024 12:57:00 +0000
Module Name: src
Committed By: riastradh
Date: Wed Sep 4 12:57:00 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist: nv_kern_netbsd.c nvlist.c nvpair.c
Log Message:
libnv: Avoid arithmetic overflow in array allocation.
1. Teach nv_calloc and nv_strdup to detect arithmetic overflow.
2. Convert nv_malloc(sizeof(...) * N) to nv_calloc(N, sizeof(...)).
I reviewed all the remaining nv_malloc calls, because some of them
have the multiplication separated from the nv_malloc call. Of the
remaining callers:
- nv_calloc (now) checks for overflow
- nv_strdup (now) checks for overflow
- nvlist_create uses a fixed sizeof(...) without arithmetic
- nvlist_xpack doesn't directly check bounds, but as long as the wire
format is smaller than the in-memory size, that's not a problem
- nvlist_recv checks for sizeof(nvlhdr) + nvlhdr.nvlh_size overflow
- nvpair_unpack_binary uses nvp->nvp_datasize without arithmetic
- nvpair_unpack_bool_array checks for unsigned overflow
- nvpair_unpack_number_array checks for unsigned overflow
- nvpair_unpack_descriptor_array checks for unsigned overflow
- nvpair_create_binary uses caller-supplied size without arithmetic
Matches upstream FreeBSD change by Mariusz Zaborski
<oshogbo@FreeBSD.org>.
CVE-2024-45287
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/external/bsd/libnv/dist/nv_kern_netbsd.c
cvs rdiff -u -r1.9 -r1.10 src/sys/external/bsd/libnv/dist/nvlist.c
cvs rdiff -u -r1.11 -r1.12 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 4 Sep 2024 12:57:10 +0000
Module Name: src
Committed By: riastradh
Date: Wed Sep 4 12:57:10 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist: nvpair.c
Log Message:
libnv: Check for NUL within bounds when unpacking string arrays.
This avoids buffer overrun in the subsequent nv_strdup, which can be
triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.
Matches upstream FreeBSD change by Mariusz Zaborski
<oshogbo@FreeBSD.org>.
CVE-2024-45288
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58652 CVS commit: [netbsd-10] src/sys/external/bsd/libnv/dist
Date: Thu, 5 Sep 2024 10:03:32 +0000
Module Name: src
Committed By: martin
Date: Thu Sep 5 10:03:32 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist [netbsd-10]: nvpair.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #820):
sys/external/bsd/libnv/dist/nvpair.c: revision 1.13
libnv: Check for NUL within bounds when unpacking string arrays.
This avoids buffer overrun in the subsequent nv_strdup, which can be
triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.
Matches upstream FreeBSD change by Mariusz Zaborski.
CVE-2024-45288
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.28.1 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58652 CVS commit: [netbsd-9] src/sys/external/bsd/libnv/dist
Date: Thu, 5 Sep 2024 10:12:31 +0000
Module Name: src
Committed By: martin
Date: Thu Sep 5 10:12:31 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist [netbsd-9]: nvpair.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1885):
sys/external/bsd/libnv/dist/nvpair.c: revision 1.13
libnv: Check for NUL within bounds when unpacking string arrays.
This avoids buffer overrun in the subsequent nv_strdup, which can be
triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.
Matches upstream FreeBSD change by Mariusz Zaborski.
CVE-2024-45288
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.2.1 src/sys/external/bsd/libnv/dist/nvpair.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/58652 CVS commit: src/sys/external/bsd/libnv/dist
Date: Wed, 11 Sep 2024 15:01:11 +0000
Module Name: src
Committed By: riastradh
Date: Wed Sep 11 15:01:11 UTC 2024
Modified Files:
src/sys/external/bsd/libnv/dist: nvlist.c
Log Message:
libnv: Fix pointer/struct confusion in bounds check.
No impact to NetBSD because the path where this bounds check matters
is not used in NetBSD.
Matches upstream FreeBSD change by Mariusz Zaborski
<oshogbo@FreeBSD.org>.
CVE-2024-45287
PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/sys/external/bsd/libnv/dist/nvlist.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Mon, 14 Oct 2024 00:44:08 +0000
State-Changed-Why:
fixed, and the important changes have been pulled up to 9 and 10
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.