An exploitable buffer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when dealing with 32-bit file systems. An attacker can craft an input that can cause a buffer overflow in the nm variable leading to an out of bounds memory access and could result in potential privilege escalation. This vulnerability is distinct from CVE-2016-9032.

**Summary**

An exploitable buffer overflow exists in the the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS\_ADD\_ENTRIES when dealing with 32-bit file systems. An attacker can craft an input that can cause a buffer overflow in the nm variable leading to an out of bounds memory access and could result in potential privilege escalation. This vulnerability is distinct from CVE-2016-9032.

**Tested Versions**

Joyent SmartOS 20161110T013148Z

**Product URLs**

https://www.joyent.com/smartos

**CVSSv3 Score**

7.0 - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-121: Stack-based Buffer Overflow

**Details**

Joyent SmartOS is an operating system deployed by Joyent to be used as a hypervisor like solution meaning virtual machines will run on top of the system itself. SmartOS is unique in the fact that it is based on a fork of Opensolaris. This leaves many vulnerabilities in the kernel due to the fact that it is not as actively developed as other operating systems. Hyprlofs is a file system specifically designed for SmartOS which allows the creation of new virtual file systems quickly and easily. This was developed and designed to help make there product, Manta, possible.

Most of the controls for Hyprlofs go through the Ioctl calls. An Ioctl is a control function that operates on various streams in this case a file descriptor to the file system. Looking further into that code we can spot the vulnerability. The beginning of the function is shown below.

    illumos-joyent-master/usr/src/uts/common/fs/hyprlofs/hyprlofs_vnops.c
    
    134     static int
            hyprlofs_ioctl(vnode_t *vp, int cmd, intptr_t data, int flag,
                cred_t *cr, int *rvalp, caller_context_t *ct)
            {
                int len, cnt, error;
                char path[MAXPATHLEN];
                char nm[MAXPATHLEN]; [1]
    
                ...
                if (secpolicy_hyprlofs_control(cr) != 0)
                    return (EPERM);
                if (cmd == HYPRLOFS_ADD_ENTRIES || cmd == HYPRLOFS_RM_ENTRIES) { [2]
                    if (model == DATAMODEL_NATIVE) {
                    ...
    
                    }
                    else {
                    hyprlofs_entries32_t ebuf32;
                    hyprlofs_entry32_t *e32;
    
                    ...
    
    226             e32 = kmem_alloc(len, KM_SLEEP);
                    if (copyin((void *)(unsigned long)(ebuf32.hle_entries), [3]
                        e32, len)) {
                        kmem_free(e32, len);
                        return (EFAULT);
                    }
    
                    for (i = 0; i < cnt; i++) {
                        if (e32[i].hle_nlen == 0 ||
    235                     e32[i].hle_nlen > MAXPATHLEN) [4]
                            return (EINVAL);
    
                            ...
    
    244                 nm[e32[i].hle_nlen] = '\0'; [5]
    

The code at \[1\] shows the declaration of the vulnerable stack buffer of size MAXPATHLEN, 1024. We see at \[2\] that if our command is HYPRLOFS\_ADD\_ENTRIES we continue into the vulnerable code path. Our data is first copied in at \[3\], and is then used for some set up. Later we see the user supplied name length is validated to ensure it is not too large for the buffer at \[4\]. The vulnerability is present because the check says greater than MAXPATHLEN instead of greater than or equal, resulting in a length that is one too large to be allowed. This results in a null byte out of bounds write at \[5\]. This vulnerability may be leveraged by an attacker to potentially increase privileges or as a denial of service.

**Timeline**

2016-12-01 - Vendor Disclosure  
2016-12-12 - Public Release

Discovered by Tyler Bohan of Cisco Talos.

CVE-2016-9034: TALOS-2016-0252 || Cisco Talos Intelligence Group

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2016-5771: PHP: PHP 5 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE-2016-4343: PHP: PHP 7 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.

CVE-2014-3479: PHP: PHP 5 ChangeLog

Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow.

Tag

#xpath