d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
385e98080c
freebsd-dev/sys/netinet
History
Brooks Davis 855acb84ca Fix bugs in plugable CC algorithm and siftr sysctls. 
Use the sysctl_handle_int() handler to write out the old value and read
the new value into a temporary variable. Use the temporary variable
for any checks of values rather than using the CAST_PTR_INT() macro on
req->newptr. The prior usage read directly from userspace memory if the
sysctl() was called correctly. This is unsafe and doesn't work at all on
some architectures (at least i386.)

In some cases, the code could also be tricked into reading from kernel
memory and leaking limited information about the contents or crashing
the system. This was true for CDG, newreno, and siftr on all platforms
and true for i386 in all cases. The impact of this bug is largest in
VIMAGE jails which have been configured to allow writing to these
sysctls.

Per discussion with the security officer, we will not be issuing an
advisory for this issue as root access and a non-default config are
required to be impacted.

Reviewed by:	markj, bz
Discussed with:	gordon (security officer)
MFC after:	3 days
Security:	kernel information leak, local DoS (both require root)
Differential Revision:	https://reviews.freebsd.org/D18443
2018-12-15 15:06:22 +00:00
..
cc Fix bugs in plugable CC algorithm and siftr sysctls. 2018-12-15 15:06:22 +00:00
khelp sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
libalias Remove a duplicate check. 2018-07-11 14:54:56 +00:00
netdump Expose some netdump configuration parameters through sysctl. 2018-10-29 21:16:26 +00:00
tcp_stacks A TCP stack is required to check SEG.ACK first, when processing a 2018-11-22 20:05:57 +00:00
accf_data.c sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
accf_dns.c sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
accf_http.c sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
icmp6.h Initial implementation of draft-ietf-6man-ipv6only-flag. 2018-10-30 20:08:48 +00:00
icmp_var.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
if_ether.c Improve the comment for arpresolve_full() in if_ether.c. 2018-11-17 16:13:09 +00:00
if_ether.h Retire arpresolve_addr(), which is not used anywhere, from if_ether.c. 2018-11-17 16:08:36 +00:00
igmp_var.h Separate list manipulation locking from state change in multicast 2018-05-02 19:36:29 +00:00
igmp.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
igmp.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
in_cksum.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
in_debug.c CK: update consumers to use CK macros across the board 2018-05-24 23:21:23 +00:00
in_fib.c Switch RIB and RADIX_NODE_HEAD lock from rwlock(9) to rmlock(9). 2018-06-16 08:26:23 +00:00
in_fib.h
in_gif.c Add the check that current VNET is ready and access to srchash is allowed. 2018-10-23 13:11:45 +00:00
in_jail.c Move most of the contents of opt_compat.h to opt_global.h. 2018-04-06 17:35:35 +00:00
in_kdtrace.c Define sctp probes only when SCTP is configured. 2018-09-06 14:15:03 +00:00
in_kdtrace.h Add support for send, receive and state-change DTrace providers for 2018-08-22 21:23:32 +00:00
in_mcast.c Prevent multicast code from panicing due to unprotected access to INADDR_HASH. 2018-10-27 04:53:25 +00:00
in_pcb.c Remove unused argument to priv_check_cred. 2018-12-11 19:32:16 +00:00
in_pcb.h Clamp the INPCB port hash tables to IPPORT_MAX + 1 chains. 2018-12-05 17:06:00 +00:00
in_pcbgroup.c Fix PCBGROUPS build post CK conversion of pcbinfo 2018-06-13 23:19:54 +00:00
in_prot.c Move most of the contents of opt_compat.h to opt_global.h. 2018-04-06 17:35:35 +00:00
in_proto.c Remove empty encap_init() function. 2018-05-29 12:32:08 +00:00
in_rmx.c
in_rss.c
in_rss.h
in_systm.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
in_var.h UDP: further performance improvements on tx 2018-05-23 21:02:14 +00:00
in.c Add ifaddr_event_ext event. It is similar to ifaddr_event, but the 2018-10-21 15:02:06 +00:00
in.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip6.h carp: Set DSCP value CS7 2018-07-01 08:37:07 +00:00
ip_carp.c carpstats are the last virtualised variable in the file and end up at the 2018-11-01 17:26:18 +00:00
ip_carp.h sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
ip_divert.c Plug some networking sysctl leaks. 2018-11-22 20:49:41 +00:00
ip_divert.h sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
ip_dummynet.h sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
ip_ecn.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip_ecn.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip_encap.c Include <sys/eventhandler.h> to fix the build. 2018-10-21 18:39:34 +00:00
ip_encap.h Add KPI that can be used by tunneling interfaces to handle IP addresses 2018-10-21 17:55:26 +00:00
ip_fastfwd.c Fix "ipfw fwd" to work for incoming IPv4 packets when ip_tryforward() chooses 2018-09-05 13:59:36 +00:00
ip_fw.h Add ability to request listing and deleting only for dynamic states. 2018-12-04 16:12:43 +00:00
ip_gre.c Add the check that current VNET is ready and access to srchash is allowed. 2018-10-23 13:11:45 +00:00
ip_icmp.c Avoid buffer underwrite in icmp_error 2018-11-08 20:17:36 +00:00
ip_icmp.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip_id.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_input.c Prevent ip_input() from panicing due to unprotected access to INADDR_HASH. 2018-10-27 04:59:35 +00:00
ip_mroute.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_mroute.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip_options.c There are three places where we return from a function which entered an 2018-10-09 13:26:06 +00:00
ip_options.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
ip_output.c Ensure that the ips_localout counter is incremented for 2018-10-07 11:26:15 +00:00
ip_reass.c Add some additional length checks to the IPv4 fragmentation code. 2018-11-16 18:32:48 +00:00
ip_var.h Add some additional length checks to the IPv4 fragmentation code. 2018-11-16 18:32:48 +00:00
ip.h carp: Set DSCP value CS7 2018-07-01 08:37:07 +00:00
pim_var.h Rework IP encapsulation handling code. 2018-06-05 20:51:01 +00:00
pim.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
raw_ip.c Plug some networking sysctl leaks. 2018-11-22 20:49:41 +00:00
sctp_asconf.c Plug mbuf leak in the SCTP input path in an error case. 2018-09-30 21:54:02 +00:00
sctp_asconf.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_auth.c Mitigate providing a timing signal if the COOKIE or AUTH 2018-10-01 14:05:31 +00:00
sctp_auth.h Remove unused code. 2018-09-18 10:53:07 +00:00
sctp_bsd_addr.c Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_bsd_addr.h Revert https://svnweb.freebsd.org/changeset/base/336503 2018-07-19 20:11:14 +00:00
sctp_cc_functions.c Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_constants.h Refactor the SHUTDOWN_PENDING state handling. 2018-08-21 13:25:32 +00:00
sctp_crc32.c Revert https://svnweb.freebsd.org/changeset/base/336503 2018-07-19 20:11:14 +00:00
sctp_crc32.h When adding support for sending SCTP packets containing an ABORT chunk 2017-12-26 12:35:02 +00:00
sctp_dtrace_declare.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
sctp_dtrace_define.h Add support for send, receive and state-change DTrace providers for 2018-08-22 21:23:32 +00:00
sctp_header.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_indata.c Refactor the SHUTDOWN_PENDING state handling. 2018-08-21 13:25:32 +00:00
sctp_indata.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_input.c Mitigate providing a timing signal if the COOKIE or AUTH 2018-10-01 14:05:31 +00:00
sctp_input.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_lock_bsd.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
sctp_os_bsd.h Use arc4rand() instead of read_random() in the SCTP and TCP code. 2018-08-23 19:10:45 +00:00
sctp_os.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
sctp_output.c Don't use a function when neither INET nor INET6 are defined. 2018-11-06 12:55:03 +00:00
sctp_output.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_pcb.c Refactor the SHUTDOWN_PENDING state handling. 2018-08-21 13:25:32 +00:00
sctp_pcb.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_peeloff.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_peeloff.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
sctp_ss_functions.c Revert https://svnweb.freebsd.org/changeset/base/336503 2018-07-19 20:11:14 +00:00
sctp_structs.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_syscalls.c netinet silence warnings 2018-05-19 05:56:21 +00:00
sctp_sysctl.c Plug some networking sysctl leaks. 2018-11-22 20:49:41 +00:00
sctp_sysctl.h Add initial descriptions for SCTP related MIB variable. 2018-10-26 21:04:17 +00:00
sctp_timer.c Refactor the SHUTDOWN_PENDING state handling. 2018-08-21 13:25:32 +00:00
sctp_timer.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
sctp_uio.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_usrreq.c Refactor the SHUTDOWN_PENDING state handling. 2018-08-21 13:25:32 +00:00
sctp_var.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctputil.c Whitespace changes and fixing a typo. No functional change. 2018-09-26 10:24:50 +00:00
sctputil.h Refactor the SHUTDOWN_PENDING state handling. 2018-08-21 13:25:32 +00:00
siftr.c Fix bugs in plugable CC algorithm and siftr sysctls. 2018-12-15 15:06:22 +00:00
tcp_debug.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
tcp_debug.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
tcp_fastopen.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
tcp_fastopen.h Greatly reduce the number of #ifdefs supporting the TCP_RFC7413 kernel option. 2018-02-26 03:03:41 +00:00
tcp_fsm.h Revert r334843, and partially revert r335180. 2018-06-23 06:53:53 +00:00
tcp_hostcache.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
tcp_hostcache.h sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
tcp_hpts.c Add INP_INFO_WUNLOCK_ASSERT() macro and use it instead of 2018-10-01 10:46:00 +00:00
tcp_hpts.h epoch(9): allow preemptible epochs to compose 2018-07-04 02:47:16 +00:00
tcp_input.c The handling of RST segments in the SYN-RCVD state exists in the 2018-10-18 19:21:18 +00:00
tcp_log_buf.c Clean up some debugging code left in tcp_log_buf.c from r331347. 2018-04-10 15:51:37 +00:00
tcp_log_buf.h This change represents a substantial restructure of the way we 2018-08-20 12:43:18 +00:00
tcp_lro.c Update tcp_lro with tested bugfixes from Netflix and LLNW: 2018-03-09 00:08:43 +00:00
tcp_lro.h sys: general adoption of SPDX licensing ID tags. 2017-11-27 15:23:17 +00:00
tcp_offload.c Revert r334843, and partially revert r335180. 2018-06-23 06:53:53 +00:00
tcp_offload.h Add a hook to allow the toedev handling an offloaded connection to 2018-04-03 01:08:54 +00:00
tcp_output.c Ensure that TCP RST-segments announce consistently a receiver window of 2018-11-22 19:49:52 +00:00
tcp_pcap.c
tcp_pcap.h
tcp_reass.c In r338102, the TCP reassembly code was substantially restructured. Prior 2018-10-16 14:41:09 +00:00
tcp_sack.c sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
tcp_seq.h r330675 introduced an extra window check in the LRO code to ensure it 2018-04-03 13:54:38 +00:00
tcp_subr.c Plug some networking sysctl leaks. 2018-11-22 20:49:41 +00:00
tcp_syncache.c Remove debug code which slipped in accidently. 2018-11-01 11:41:40 +00:00
tcp_syncache.h The handling of RST segments in the SYN-RCVD state exists in the 2018-10-18 19:21:18 +00:00
tcp_timer.c epoch(9): allow preemptible epochs to compose 2018-07-04 02:47:16 +00:00
tcp_timer.h epoch(9): allow preemptible epochs to compose 2018-07-04 02:47:16 +00:00
tcp_timewait.c Send consistent SEG.WIN when using timewait codepath for TCP. 2018-07-30 21:13:42 +00:00
tcp_usrreq.c Limit option_len for the TCP_CCALGOOPT. 2018-11-30 10:50:07 +00:00
tcp_var.h This change represents a substantial restructure of the way we 2018-08-20 12:43:18 +00:00
tcp.h This commit brings in a new refactored TCP stack called Rack. 2018-06-07 18:18:13 +00:00
tcpip.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
toecore.c Add the ability to look up the 3b PCP of a VLAN interface. Use it in 2018-08-16 23:46:38 +00:00
toecore.h Add a hook to allow the toedev handling an offloaded connection to 2018-04-03 01:08:54 +00:00
udp_usrreq.c Plug some networking sysctl leaks. 2018-11-22 20:49:41 +00:00
udp_var.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
udp.h sys: further adoption of SPDX licensing ID tags. 2017-11-20 19:43:44 +00:00
udplite.h Add a dtrace provider for UDP-Lite. 2018-07-31 22:56:03 +00:00