Module Name: src
Committed By: riastradh
Date: Thu Jul 7 18:17:33 UTC 2022
Modified Files:
src/sys/compat/common: uipc_syscalls_40.c
src/sys/net: if.c
Log Message:
ifioctl(9): Don't touch ifconf or ifreq until command is validated.
sys_ioctl validates the data pointer according to the command's size
and direction. But userland may ioctl commands other than
OSIOCGIFCONF or OOSIOCGIFCONF -- and if userland passes an IOC_VOID
command, the argument is passed through verbatim and may be null.
Reported-by: syzbot+19b1bf83e5481273e...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=f4c91a7dcd31901c80d91af6ed01456faf0a7286
Reported-by: syzbot+442c033feb784d055...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=4a3a4b92dbe9695046ff17a5474cef52aed23e0b
Reported-by: syzbot+4c87d0cdf7025741e...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=3e5f42c998e43ad42da40dec3c7873e6aae187e4
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/compat/common/uipc_syscalls_40.c
cvs rdiff -u -r1.505 -r1.506 src/sys/net/if.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/common/uipc_syscalls_40.c
diff -u src/sys/compat/common/uipc_syscalls_40.c:1.23 src/sys/compat/common/uipc_syscalls_40.c:1.24
--- src/sys/compat/common/uipc_syscalls_40.c:1.23 Thu Jul 16 15:02:08 2020
+++ src/sys/compat/common/uipc_syscalls_40.c Thu Jul 7 18:17:33 2022
@@ -1,9 +1,9 @@
-/* $NetBSD: uipc_syscalls_40.c,v 1.23 2020/07/16 15:02:08 msaitoh Exp $ */
+/* $NetBSD: uipc_syscalls_40.c,v 1.24 2022/07/07 18:17:33 riastradh Exp $ */
/* written by Pavel Cahyna, 2006. Public domain. */
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.23 2020/07/16 15:02:08 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.24 2022/07/07 18:17:33 riastradh Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -41,7 +41,6 @@ compat_ifconf(u_long cmd, void *data)
struct oifreq ifr, *ifrp = NULL;
int space = 0, error = 0;
const int sz = (int)sizeof(ifr);
- const bool docopy = ifc->ifc_req != NULL;
int s;
int bound;
struct psref psref;
@@ -54,6 +53,7 @@ compat_ifconf(u_long cmd, void *data)
return ENOSYS;
}
+ const bool docopy = ifc->ifc_req != NULL;
if (docopy) {
if (ifc->ifc_len < 0)
return EINVAL;
Index: src/sys/net/if.c
diff -u src/sys/net/if.c:1.505 src/sys/net/if.c:1.506
--- src/sys/net/if.c:1.505 Sun May 22 11:27:36 2022
+++ src/sys/net/if.c Thu Jul 7 18:17:33 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: if.c,v 1.505 2022/05/22 11:27:36 andvar Exp $ */
+/* $NetBSD: if.c,v 1.506 2022/07/07 18:17:33 riastradh Exp $ */
/*-
* Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.505 2022/05/22 11:27:36 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.506 2022/07/07 18:17:33 riastradh Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -3450,6 +3450,9 @@ doifioctl(struct socket *so, u_long cmd,
}
}
+ if ((cmd & IOC_IN) == 0 || IOCPARM_LEN(cmd) < sizeof(ifr->ifr_name))
+ return EINVAL;
+
bound = curlwp_bind();
ifp = if_get(ifr->ifr_name, &psref);
if (ifp == NULL) {
