netmap: Fix TOCTOU vulnerability in nmreq_copyin
The total size of the user-provided nmreq was first computed and then trusted during the copyin. This might lead to kernel memory corruption and escape from jails/containers. Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23084 MFC after: 3 days
This commit is contained in:
Vincenzo Maffione
parent
694ea59c70
commit
3937299165
@ -3362,11 +3362,10 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size)
|
||||
int
|
||||
nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
|
||||
{
|
||||
size_t rqsz, optsz, bufsz, optbodysz;
|
||||
size_t rqsz, optsz, bufsz;
|
||||
int error = 0;
|
||||
char *ker = NULL, *p;
|
||||
struct nmreq_option **next, *src, **opt_tab;
|
||||
struct nmreq_option buf;
|
||||
uint64_t *ptrs;
|
||||
|
||||
if (hdr->nr_reserved) {
|
||||
@ -3396,39 +3395,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
|
||||
goto out_err;
|
||||
}
|
||||
|
||||
bufsz = 2 * sizeof(void *) + rqsz +
|
||||
NETMAP_REQ_OPT_MAX * sizeof(opt_tab);
|
||||
/* compute the size of the buf below the option table.
|
||||
* It must contain a copy of every received option structure.
|
||||
* For every option we also need to store a copy of the user
|
||||
* list pointer.
|
||||
/*
|
||||
* The buffer size must be large enough to store the request body,
|
||||
* all the possible options and the additional user pointers
|
||||
* (2+NETMAP_REQ_OPT_MAX). Note that the maximum size of body plus
|
||||
* options can not exceed NETMAP_REQ_MAXSIZE;
|
||||
*/
|
||||
optsz = 0;
|
||||
for (src = (struct nmreq_option *)(uintptr_t)hdr->nr_options; src;
|
||||
src = (struct nmreq_option *)(uintptr_t)buf.nro_next)
|
||||
{
|
||||
error = copyin(src, &buf, sizeof(*src));
|
||||
if (error)
|
||||
goto out_err;
|
||||
/* Validate nro_size to avoid integer overflow of optsz and bufsz. */
|
||||
if (buf.nro_size > NETMAP_REQ_MAXSIZE) {
|
||||
error = EMSGSIZE;
|
||||
goto out_err;
|
||||
}
|
||||
optsz += sizeof(*src);
|
||||
optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size);
|
||||
if (optbodysz > NETMAP_REQ_MAXSIZE) {
|
||||
error = EMSGSIZE;
|
||||
goto out_err;
|
||||
}
|
||||
optsz += optbodysz;
|
||||
if (rqsz + optsz > NETMAP_REQ_MAXSIZE) {
|
||||
error = EMSGSIZE;
|
||||
goto out_err;
|
||||
}
|
||||
bufsz += sizeof(void *);
|
||||
}
|
||||
bufsz += optsz;
|
||||
bufsz = (2 + NETMAP_REQ_OPT_MAX) * sizeof(void *) + NETMAP_REQ_MAXSIZE +
|
||||
NETMAP_REQ_OPT_MAX * sizeof(opt_tab);
|
||||
|
||||
ker = nm_os_malloc(bufsz);
|
||||
if (ker == NULL) {
|
||||
@ -3466,6 +3440,7 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
|
||||
error = copyin(src, opt, sizeof(*src));
|
||||
if (error)
|
||||
goto out_restore;
|
||||
rqsz += sizeof(*src);
|
||||
/* make a copy of the user next pointer */
|
||||
*ptrs = opt->nro_next;
|
||||
/* overwrite the user pointer with the in-kernel one */
|
||||
@ -3509,6 +3484,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
|
||||
/* copy the option body */
|
||||
optsz = nmreq_opt_size_by_type(opt->nro_reqtype,
|
||||
opt->nro_size);
|
||||
/* check optsz and nro_size to avoid for possible integer overflows of rqsz */
|
||||
if ((optsz > NETMAP_REQ_MAXSIZE) || (opt->nro_size > NETMAP_REQ_MAXSIZE)
|
||||
|| (rqsz + optsz > NETMAP_REQ_MAXSIZE)
|
||||
|| (optsz > 0 && rqsz + optsz <= rqsz)) {
|
||||
error = EMSGSIZE;
|
||||
goto out_restore;
|
||||
}
|
||||
rqsz += optsz;
|
||||
if (optsz) {
|
||||
/* the option body follows the option header */
|
||||
error = copyin(src + 1, p, optsz);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user