NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

port-i386/41269: Incorrect validation in firewire driver code makes it vulnerable.

>Number:         41269
>Category:       port-i386
>Synopsis:       Incorrect validation in firewire driver code makes it 
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 23 03:55:00 +0000 2009
>Originator:     Shivam Patel
>Release:        NetBSD-5_RC
Carnegie Mellon University
Kindly refer to the following file:
File: fwdev.c
Line no. 876

This line fails to validate the negative values of crom_buf->len.
Since user can provide any value to crom_buf->len, a malicious user can bypass 
the if validation and can access unauthorized memory (line 880).

Please refer to the fix below.

We at CMU are researching to develop automated techniques to detect bugs due to 
code-reuse. We came across this bug by running a automated program.

I hope this helps.
This is a logical validation error. See description in 'Description' Section 
and its fix in the 'Fix to the problem' section.
This vulnerability can be easily fixed by replacing the line as follows:

File: fwdev.c
Line no. 876
Current_line: if (crom_buf->len < len)
Possible Fix: if (crom_buf->len < len && crom_buf->len >= 0)

Similar vulnerability prevailed in the FreeBSD5.4 and below versions. It was 
fixed in FreeBSD5.5 and beyond.

Refer line 715 of FreeBSD5.4 at:

Refer to the fixed version in FreeBSD5.5 (line 715) at:

Hope this helps

Home | Main Index | Thread Index | Old Index