d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disallow TUN and TAP character device IOCTLs to modify the network device

Browse Source 
type to any value. This can cause page faults and panics due to accessing
uninitialized fields in the "struct ifnet" which are specific to the network
device type.

MFC after:	1 week
Found by:	jau@iki.fi
PR:		223767
Sponsored by:	Mellanox Technologies
This commit is contained in:
hselasky 2017-11-29 09:40:11 +00:00
parent 97f0932623
commit 30eed323c8
4 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
share/man/man4/tap.4
View File

@ -1,7 +1,7 @@
.\" $FreeBSD$ .\" $FreeBSD$
.\" Based on PR#2411 .\" Based on PR#2411
.\" .\"
.Dd April 10, 2015 .Dd November 29, 2017
.Dt TAP 4 .Dt TAP 4
.Os .Os
.Sh NAME .Sh NAME
@ -171,7 +171,14 @@ calls are supported
.In net/if_tap.h ) : .In net/if_tap.h ) :
.Bl -tag -width VMIO_SIOCSETMACADDR .Bl -tag -width VMIO_SIOCSETMACADDR
.It Dv TAPSIFINFO .It Dv TAPSIFINFO
Set network interface information (line speed, MTU and type). Set network interface information (line speed and MTU).
The type must be the same as returned by
.Dv TAPGIFINFO
or set to
.Dv IFT_ETHER
else the
.Xr ioctl 2
call will fail.
The argument should be a pointer to a The argument should be a pointer to a
.Va struct tapinfo . .Va struct tapinfo .
.It Dv TAPGIFINFO .It Dv TAPGIFINFO

11
share/man/man4/tun.4
View File

@ -2,7 +2,7 @@
.\" $FreeBSD$ .\" $FreeBSD$
.\" Based on PR#2411 .\" Based on PR#2411
.\" .\"
.Dd November 30, 2014 .Dd November 29, 2017
.Dt TUN 4 .Dt TUN 4
.Os .Os
.Sh NAME .Sh NAME
@ -208,8 +208,15 @@ this stores the internal debugging variable's value into it.
.It Dv TUNSIFINFO .It Dv TUNSIFINFO
The argument should be a pointer to an The argument should be a pointer to an
.Vt struct tuninfo .Vt struct tuninfo
and allows setting the MTU, the type, and the baudrate of the tunnel and allows setting the MTU and the baudrate of the tunnel
device. device.
The type must be the same as returned by
.Dv TUNGIFINFO
or set to
.Dv IFT_PPP
else the
.Xr ioctl 2
call will fail.
The The
.Vt struct tuninfo .Vt struct tuninfo
is declared in is declared in

3
sys/net/if_tap.c
View File

@ -737,9 +737,10 @@ tapioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, struct thread *td
switch (cmd) { switch (cmd) {
case TAPSIFINFO: case TAPSIFINFO:
tapp = (struct tapinfo *)data; tapp = (struct tapinfo *)data;
if (ifp->if_type != tapp->type)
return (EPROTOTYPE);
mtx_lock(&tp->tap_mtx); mtx_lock(&tp->tap_mtx);
ifp->if_mtu = tapp->mtu; ifp->if_mtu = tapp->mtu;
ifp->if_type = tapp->type;
ifp->if_baudrate = tapp->baudrate; ifp->if_baudrate = tapp->baudrate;
mtx_unlock(&tp->tap_mtx); mtx_unlock(&tp->tap_mtx);
break; break;

3
sys/net/if_tun.c
View File

@ -676,9 +676,10 @@ tunioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
if (error) if (error)
return (error); return (error);
} }
if (TUN2IFP(tp)->if_type != tunp->type)
return (EPROTOTYPE);
mtx_lock(&tp->tun_mtx); mtx_lock(&tp->tun_mtx);
TUN2IFP(tp)->if_mtu = tunp->mtu; TUN2IFP(tp)->if_mtu = tunp->mtu;
TUN2IFP(tp)->if_type = tunp->type;
TUN2IFP(tp)->if_baudrate = tunp->baudrate; TUN2IFP(tp)->if_baudrate = tunp->baudrate;
mtx_unlock(&tp->tun_mtx); mtx_unlock(&tp->tun_mtx);
break; break;