From ddab4ffce9ba63bfd31b7d0668c8d4671bcb60d7 Mon Sep 17 00:00:00 2001
From: Lucas Holt <luke@foolishgames.com>
Date: Sun, 22 Sep 2024 10:26:25 -0400
Subject: [PATCH] A malicious value of size in a structure of packed libnv can
 cause an integer overflow, leading to the allocation of a smaller buffer than
 required for the parsed data. The introduced check was incorrect, as it took
 into account the size of the pointer, not the structure. This vulnerability
 affects both kernel and userland.

---
 sys/contrib/libnv/nvlist.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sys/contrib/libnv/nvlist.c b/sys/contrib/libnv/nvlist.c
index f9c53975613..f7cbb86d303 100644
--- a/sys/contrib/libnv/nvlist.c
+++ b/sys/contrib/libnv/nvlist.c
@@ -1027,6 +1027,10 @@ nvlist_pack(const nvlist_t *nvl, size_t *sizep)
 static bool
 nvlist_check_header(struct nvlist_header *nvlhdrp)
 {
+	if (nvlhdrp->nvlh_size > SIZE_MAX - sizeof(*nvlhdrp)) {
+ 		ERRNO_SET(EINVAL);
+ 		return (false);
+ 	}
 
 	if (nvlhdrp->nvlh_magic != NVLIST_HEADER_MAGIC) {
 		ERRNO_SET(EINVAL);