libnv: fix heap overflow in nvlist_recv()

nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342
2026-05-28 04:12:45 -04:00 · 2026-04-28 14:36:09 +00:00 · 2026-04-28 14:36:09 +00:00 · 7b7e6d7376
commit 7b7e6d7376
parent 4b28a8af30
2 changed files with 62 additions and 4 deletions
--- a/lib/libnv/tests/nvlist_send_recv_test.c
+++ b/lib/libnv/tests/nvlist_send_recv_test.c
@ -1,5 +1,8 @@
 /*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
 * Copyright (c) 2013 The FreeBSD Foundation
+ * Copyright (c) 2024-2026 Mariusz Zaborski <oshogbo@FreeBSD.org>
 *
 * This software was developed by Pawel Jakub Dawidek under sponsorship from
 * the FreeBSD Foundation.
@ -664,6 +667,58 @@ ATF_TC_BODY(nvlist_send_recv__overflow_header_size, tc)
 	}
 }

+ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_big_endian_size);
+ATF_TC_BODY(nvlist_send_recv__overflow_big_endian_size, tc)
+{
+	static const unsigned char payload[] = {
+		0x6c,						/* magic */
+		0x00,						/* version */
+		0x80,						/* flags: NV_FLAG_BIG_ENDIAN */
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf5,
+	};
+	nvlist_t *nvl;
+	int sv[2];
+
+	ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
+	ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
+	    (ssize_t)sizeof(payload));
+	ATF_REQUIRE_EQ(close(sv[1]), 0);
+
+	errno = 0;
+	nvl = nvlist_recv(sv[0], 0);
+	ATF_REQUIRE(nvl == NULL);
+	ATF_REQUIRE_EQ(errno, EINVAL);
+
+	ATF_REQUIRE_EQ(close(sv[0]), 0);
+}
+
+ATF_TC_WITHOUT_HEAD(nvlist_send_recv__overflow_little_endian_size);
+ATF_TC_BODY(nvlist_send_recv__overflow_little_endian_size, tc)
+{
+	static const unsigned char payload[] = {
+		0x6c,						/* magic */
+		0x00,						/* version */
+		0x00,						/* flags */
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	};
+	nvlist_t *nvl;
+	int sv[2];
+
+	ATF_REQUIRE_EQ(socketpair(AF_UNIX, SOCK_STREAM, 0, sv), 0);
+	ATF_REQUIRE_EQ(write(sv[1], payload, sizeof(payload)),
+	    (ssize_t)sizeof(payload));
+	ATF_REQUIRE_EQ(close(sv[1]), 0);
+
+	errno = 0;
+	nvl = nvlist_recv(sv[0], 0);
+	ATF_REQUIRE(nvl == NULL);
+	ATF_REQUIRE_EQ(errno, EINVAL);
+
+	ATF_REQUIRE_EQ(close(sv[0]), 0);
+}
+
 ATF_TC_WITHOUT_HEAD(nvlist_send_recv__invalid_fd_size);
 ATF_TC_BODY(nvlist_send_recv__invalid_fd_size, tc)
 {
@ -799,6 +854,8 @@ ATF_TP_ADD_TCS(tp)
 	ATF_TP_ADD_TC(tp, nvlist_send_recv__send_many_fds__stream);

 	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_header_size);
+	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_big_endian_size);
+	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_little_endian_size);
 	ATF_TP_ADD_TC(tp, nvlist_send_recv__invalid_fd_size);
 	ATF_TP_ADD_TC(tp, nvlist_send_recv__overflow_fd_size);

--- a/sys/contrib/libnv/nvlist.c
+++ b/sys/contrib/libnv/nvlist.c
@ -1022,10 +1022,6 @@ static bool
 nvlist_check_header(struct nvlist_header *nvlhdrp)
 {

-	if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
-		ERRNO_SET(EINVAL);
-		return (false);
-	}
 	if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
 		ERRNO_SET(EINVAL);
 		return (false);
@ -1045,6 +1041,11 @@ nvlist_check_header(struct nvlist_header *nvlhdrp)
 		nvlhdrp->nvlh_descriptors = be64toh(nvlhdrp->nvlh_descriptors);
 	}
 #endif
+	if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
+		ERRNO_SET(EINVAL);
+		return (false);
+	}
+
 	return (true);
 }