port-i386/41269: Incorrect validation in firewire driver code makes it vulnerable.

[shivam%cmu.edu@localhost]

>Number:         41269
>Category:       port-i386
>Synopsis:       Incorrect validation in firewire driver code makes it 
>vulnerable.
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    port-i386-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 23 03:55:00 +0000 2009
>Originator:     Shivam Patel
>Release:        NetBSD-5_RC
>Organization:
Carnegie Mellon University
>Environment:
NA
>Description:
Hi,
Kindly refer to the following file:
Path: ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-5_RC/src/sys/dev/ieee1394/
File: fwdev.c
Line no. 876

This line fails to validate the negative values of crom_buf->len.
Since user can provide any value to crom_buf->len, a malicious user can bypass 
the if validation and can access unauthorized memory (line 880).

Please refer to the fix below.

We at CMU are researching to develop automated techniques to detect bugs due to 
code-reuse. We came across this bug by running a automated program.

I hope this helps.
>How-To-Repeat:
This is a logical validation error. See description in 'Description' Section 
and its fix in the 'Fix to the problem' section.
>Fix:
This vulnerability can be easily fixed by replacing the line as follows:

Path: ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-5_RC/src/sys/dev/ieee1394/
File: fwdev.c
Line no. 876
Current_line: if (crom_buf->len < len)
Possible Fix: if (crom_buf->len < len && crom_buf->len >= 0)

Reference:
Similar vulnerability prevailed in the FreeBSD5.4 and below versions. It was 
fixed in FreeBSD5.5 and beyond.

Refer line 715 of FreeBSD5.4 at:
http://fxr.watson.org/fxr/source/dev/firewire/fwdev.c?v=FREEBSD54

Refer to the fixed version in FreeBSD5.5 (line 715) at:
http://fxr.watson.org/fxr/source/dev/firewire/fwdev.c?v=FREEBSD55

Hope this helps