Home | History | Annotate | Download | only in dist
History log of /src/sys/external/bsd/libnv/dist/nvpair.c
RevisionDateAuthorComments
 1.13  04-Sep-2024  riastradh libnv: Check for NUL within bounds when unpacking string arrays.

This avoids buffer overrun in the subsequent nv_strdup, which can be
triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.

Matches upstream FreeBSD change by Mariusz Zaborski
<oshogbo@FreeBSD.org>.

CVE-2024-45288

PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
 1.12  04-Sep-2024  riastradh libnv: Avoid arithmetic overflow in array allocation.

1. Teach nv_calloc and nv_strdup to detect arithmetic overflow.
2. Convert nv_malloc(sizeof(...) * N) to nv_calloc(N, sizeof(...)).

I reviewed all the remaining nv_malloc calls, because some of them
have the multiplication separated from the nv_malloc call. Of the
remaining callers:

- nv_calloc (now) checks for overflow
- nv_strdup (now) checks for overflow
- nvlist_create uses a fixed sizeof(...) without arithmetic
- nvlist_xpack doesn't directly check bounds, but as long as the wire
format is smaller than the in-memory size, that's not a problem
- nvlist_recv checks for sizeof(nvlhdr) + nvlhdr.nvlh_size overflow
- nvpair_unpack_binary uses nvp->nvp_datasize without arithmetic
- nvpair_unpack_bool_array checks for unsigned overflow
- nvpair_unpack_number_array checks for unsigned overflow
- nvpair_unpack_descriptor_array checks for unsigned overflow
- nvpair_create_binary uses caller-supplied size without arithmetic

Matches upstream FreeBSD change by Mariusz Zaborski
<oshogbo@FreeBSD.org>.

CVE-2024-45287

PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
 1.11  24-Jul-2019  martin branches: 1.11.2; 1.11.28;
Adapt for userland compilation
 1.10  24-Jul-2019  sevan off by 1
 1.9  24-Jul-2019  sevan need sys/kmem.h for kmem_free()
 1.8  24-Jul-2019  martin PR kern/54406: the result of vasprintf (in the kernel) should be freed
by kmem_free(). Spotted by Mindaugas.
 1.7  23-Jul-2019  rmind - nvpair_create_stringf: use the in-kernel vasprintf().
- Make nvlist_add_stringf() availabe in the kernel.
 1.6  15-Feb-2019  rmind branches: 1.6.4;
nvpair_remove_nvlist_array: revert part of the rev 1.4 change (it was applied
by mistake because the libnv upsteam code on Github has deviated from FreeBSD,
i.e. it has a different nvlist_set_array_next() logic).
 1.5  12-Feb-2019  rmind libnv: Free the data array for NV_TYPE_DESCRIPTOR_ARRAY case.
Obtained from FreeBSD rev 343987 by oshogbo@.
 1.4  12-Feb-2019  rmind libnv: fix multiple memory leaks.

- nvpair_create_stringv: free the temporary string; this fix affects
nvlist_add_stringf() and nvlist_add_stringv().

- nvpair_remove_nvlist_array (NV_TYPE_NVLIST_ARRAY case): free the chain
of nvpairs (as resetting it prevents nvlist_destroy() from freeing it).
Note: freeing the chain in nvlist_destroy() is not sufficient, because
it would still leak through nvlist_take_nvlist_array(). This affects
all nvlist_*_nvlist_array() users.

Found by clang/gcc ASAN. These fixes have been contributed to the
upstream (FreeBSD) repository.
 1.3  08-Sep-2018  christos branches: 1.3.2;
fix kernel build.
 1.2  08-Sep-2018  christos Add NetBSD stuff.
 1.1  08-Sep-2018  christos branches: 1.1.1;
Initial revision
 1.1.1.1  08-Sep-2018  christos Import libnv from FreeBSD
 1.3.2.2  30-Sep-2018  pgoyette Ssync with HEAD
 1.3.2.1  08-Sep-2018  pgoyette file nvpair.c was added on branch pgoyette-compat on 2018-09-30 01:45:55 +0000
 1.6.4.3  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.6.4.2  10-Jun-2019  christos Sync with HEAD
 1.6.4.1  15-Feb-2019  christos file nvpair.c was added on branch phil-wifi on 2019-06-10 22:08:38 +0000
 1.11.28.1  05-Sep-2024  martin Pull up following revision(s) (requested by riastradh in ticket #820):

sys/external/bsd/libnv/dist/nvpair.c: revision 1.13

libnv: Check for NUL within bounds when unpacking string arrays.

This avoids buffer overrun in the subsequent nv_strdup, which can be
triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.

Matches upstream FreeBSD change by Mariusz Zaborski.

CVE-2024-45288

PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities
 1.11.2.1  05-Sep-2024  martin Pull up following revision(s) (requested by riastradh in ticket #1885):

sys/external/bsd/libnv/dist/nvpair.c: revision 1.13

libnv: Check for NUL within bounds when unpacking string arrays.

This avoids buffer overrun in the subsequent nv_strdup, which can be
triggered by root at securelevel 1 via ioctl(IOC_NPF_*) on /dev/npf.

Matches upstream FreeBSD change by Mariusz Zaborski.

CVE-2024-45288

PR security/58652: libnv: Integer overflow and buffer overrun
vulnerabilities

RSS XML Feed