Switch System Flaws: Difference between revisions

Line 547:

! Public disclosure timeframe

! Discovered by

|-

| [[Sockets_services|bsdsockets]] ioctl SIOCGIFMEDIA input can contain ptr

| Originally bsd ioctl SIOCGIFMEDIA used the user-specified ifmediareq structure directly from the input buffer. This includes a ptr. This ptr probably isn't actually used?

With [5.0.0+] the structure used as input for the ioctl was changed to using <code>int ifm_ulist[1]</code> instead of <code>int *ifm_ulist</code> (which is unused). The input structure is copied to a tmp struct which is used as the original ifmediareq structure, with ifm_ulist always NULL. The user can still specify a non-zero ifm_count value, however that's not useful with ifm_ulist being always NULL.

| Useless?

| [[5.0.0]]

| [[13.1.0]]

| February 14, 2022

| [[User:Yellows8|yellows8]], probably others

|-

| [[Sockets_services|bsdsockets]] ioctl SIOCGIFCONF infoleak

| Originally bsd ioctl SIOCGIFCONF was handled by setting the data in IPC outbuf0 to the size/addr of IPC outbuf1. These buffers are HipcAutoSelect, so if buf1 is small enough for HipcPointer (otherwise it would be HipcMapAlias) the IPC-buf-ptr leaked into outbuf0 would be located in the codebin-region. Since this is done before the actual ioctl-handling, it doesn't matter whether the fd is valid.

This was fixed in [5.0.0+] by using a tmp struct on stack instead of buf0.

| bsdsockets-sysmodule codebin-region addr infoleak, which allows defeating ASLR.

| [[5.0.0]]

| [[13.1.0]]

| February 14, 2022 (probably earlier)

| February 14, 2022

| [[User:Yellows8|yellows8]], probably others

|-

| [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow

@@ Line 547: / Line 547: @@
 !  Public disclosure timeframe
 !  Discovered by
+|-
+| [[Sockets_services|bsdsockets]] ioctl SIOCGIFMEDIA input can contain ptr
+| Originally bsd ioctl SIOCGIFMEDIA used the user-specified ifmediareq structure directly from the input buffer. This includes a ptr. This ptr probably isn't actually used?
+With [5.0.0+] the structure used as input for the ioctl was changed to using <code>int ifm_ulist[1]</code> instead of <code>int *ifm_ulist</code> (which is unused). The input structure is copied to a tmp struct which is used as the original ifmediareq structure, with ifm_ulist always NULL. The user can still specify a non-zero ifm_count value, however that's not useful with ifm_ulist being always NULL.
+| Useless?
+| [[5.0.0]]
+| [[13.1.0]]
+| February 14, 2022
+| February 14, 2022
+| [[User:Yellows8|yellows8]], probably others
+|-
+| [[Sockets_services|bsdsockets]] ioctl SIOCGIFCONF infoleak
+| Originally bsd ioctl SIOCGIFCONF was handled by setting the data in IPC outbuf0 to the size/addr of IPC outbuf1. These buffers are HipcAutoSelect, so if buf1 is small enough for HipcPointer (otherwise it would be HipcMapAlias) the IPC-buf-ptr leaked into outbuf0 would be located in the codebin-region. Since this is done before the actual ioctl-handling, it doesn't matter whether the fd is valid.
+This was fixed in [5.0.0+] by using a tmp struct on stack instead of buf0.
+| bsdsockets-sysmodule codebin-region addr infoleak, which allows defeating ASLR.
+| [[5.0.0]]
+| [[13.1.0]]
+| February 14, 2022 (probably earlier)
+| February 14, 2022
+| [[User:Yellows8|yellows8]], probably others
 |-
 | [[Bluetooth_Driver_services|bluetooth]] BSA gatt_process_notification stack buffer overflow