diff options
author | Mark Johnston <markj@FreeBSD.org> | 2019-02-19 21:22:22 +0000 |
---|---|---|
committer | Mark Johnston <markj@FreeBSD.org> | 2019-02-19 21:22:22 +0000 |
commit | 60a92c781da2d6e1cc61fb5a9d759f15bb42c287 (patch) | |
tree | 2cf16e4b2ccd703cf3a0ede8cff4c74cd7187bde /sys/geom | |
parent | b1ece243880ba7f5342116dcc62c279ab02dbe57 (diff) | |
download | src-60a92c781da2d6e1cc61fb5a9d759f15bb42c287.tar.gz src-60a92c781da2d6e1cc61fb5a9d759f15bb42c287.zip |
Impose a limit on the number of GEOM_CTL arguments.
Otherwise a privileged user can trigger a memory allocation of
unbounded size, or an integer overflow in the subsequent
geom_alloc_copyin() call, leading to out-of-bounds accesses.
Hard-code a large limit to circumvent this problem.
admbug: 854
Reported by: Anonymous of the Shellphish Grill Team
Reviewed by: ae
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D19251
Notes
Notes:
svn path=/head/; revision=344305
Diffstat (limited to 'sys/geom')
-rw-r--r-- | sys/geom/geom_ctl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/sys/geom/geom_ctl.c b/sys/geom/geom_ctl.c index ae07cf696a55..0c0087912693 100644 --- a/sys/geom/geom_ctl.c +++ b/sys/geom/geom_ctl.c @@ -139,6 +139,12 @@ gctl_copyin(struct gctl_req *req) char *p; u_int i; + if (req->narg > 2048) { + gctl_error(req, "too many arguments"); + req->arg = NULL; + return; + } + ap = geom_alloc_copyin(req, req->arg, req->narg * sizeof(*ap)); if (ap == NULL) { gctl_error(req, "bad control request"); |