Showing posts from January, 2018

NetBSD kernel wscons IOCTL vulnerable bug class

Dr Silvio Cesare
In this blog post I discuss a vulnerable bug class that exists in the NetBSD kernel based on an incorrect coding style that has an integer overflow during input validation. I find 17 vulnerabilities and variants. I write a coccinelle script to automatically detect 16 instances of the integer overflow bugs with an additional 5 false positives. Furthermore, I manually find another bug that isn't an integer overflow, but in fact is code that has no input validation at all. 1. IntroductionI discovered this bug class during the InfoSect public code review session we ran looking specifically at the NetBSD kernel. I found a couple of these bugs and then after the session was complete, I went back and realised the same bug was scattered in other drivers. In total, 17 instances of this vulnerability and its variants were discovered.

In all fairness, I came across this bug class during my kernel audits in 2002 and most instances were patched. It just seems there are more bugs…