xorl %eax, %eax

FreeBSD ATA Device Large Allocation Panic

leave a comment »

This bug was discovered and disclosed by Shaun Colley on 22 June 2009. This issue affects FreeBSD 6.0 as well as 8.0 branch and probably more releases as well. Here is the vulnerable code as seen in dev/ata/ata-all.c of FreeBSD 6.0:

int
ata_device_ioctl(device_t dev, u_long cmd, caddr_t data)
{
    struct ata_device *atadev = device_get_softc(dev);
    struct ata_ioc_request *ioc_request = (struct ata_ioc_request *)data;
    struct ata_params *params = (struct ata_params *)data;
    int *mode = (int *)data;
    struct ata_request *request;
    caddr_t buf;
    int error;

    switch (cmd) {
    case IOCATAREQUEST:
        if (!(buf = malloc(ioc_request->count, M_ATA, M_NOWAIT))) {
            return
       ...
    default:
       return ENOTTY;
    }
}

The bug is really simple. If the IOCTL command is IOCATAREQUEST, it will immediately attempt to allocate ioc_request->count bytes which was derived from the user controlled data passed to that IOCTL call. Therefore, a user could request a huge amount of memory which will panic the kernel. Shaun Colley published atapanic.c as well that does that IOCTL call and requests 0xffffffff bytes to be allocated. Of course, in order to do this you need read access to an ATA device.

Written by xorl

July 15, 2009 at 21:31

Posted in bugs, freebsd

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s