CVS commit: src/sys

Taylor R Campbell Thu, 07 Jul 2022 11:17:42 -0700

Module Name:    src
Committed By:   riastradh
Date:           Thu Jul  7 18:17:33 UTC 2022


Modified Files:
        src/sys/compat/common: uipc_syscalls_40.c
        src/sys/net: if.c

Log Message:
ifioctl(9): Don't touch ifconf or ifreq until command is validated.

sys_ioctl validates the data pointer according to the command's size
and direction.  But userland may ioctl commands other than
OSIOCGIFCONF or OOSIOCGIFCONF -- and if userland passes an IOC_VOID
command, the argument is passed through verbatim and may be null.

Reported-by: [email protected]
https://syzkaller.appspot.com/bug?id=f4c91a7dcd31901c80d91af6ed01456faf0a7286

Reported-by: [email protected]
https://syzkaller.appspot.com/bug?id=4a3a4b92dbe9695046ff17a5474cef52aed23e0b

Reported-by: [email protected]
https://syzkaller.appspot.com/bug?id=3e5f42c998e43ad42da40dec3c7873e6aae187e4


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/compat/common/uipc_syscalls_40.c
cvs rdiff -u -r1.505 -r1.506 src/sys/net/if.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/compat/common/uipc_syscalls_40.c
diff -u src/sys/compat/common/uipc_syscalls_40.c:1.23 src/sys/compat/common/uipc_syscalls_40.c:1.24
--- src/sys/compat/common/uipc_syscalls_40.c:1.23	Thu Jul 16 15:02:08 2020
+++ src/sys/compat/common/uipc_syscalls_40.c	Thu Jul  7 18:17:33 2022
@@ -1,9 +1,9 @@
-/*	$NetBSD: uipc_syscalls_40.c,v 1.23 2020/07/16 15:02:08 msaitoh Exp $	*/
+/*	$NetBSD: uipc_syscalls_40.c,v 1.24 2022/07/07 18:17:33 riastradh Exp $	*/
 
 /* written by Pavel Cahyna, 2006. Public domain. */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.23 2020/07/16 15:02:08 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.24 2022/07/07 18:17:33 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -41,7 +41,6 @@ compat_ifconf(u_long cmd, void *data)
 	struct oifreq ifr, *ifrp = NULL;
 	int space = 0, error = 0;
 	const int sz = (int)sizeof(ifr);
-	const bool docopy = ifc->ifc_req != NULL;
 	int s;
 	int bound;
 	struct psref psref;
@@ -54,6 +53,7 @@ compat_ifconf(u_long cmd, void *data)
 		return ENOSYS;
 	}
 
+	const bool docopy = ifc->ifc_req != NULL;
 	if (docopy) {
 		if (ifc->ifc_len < 0)
 			return EINVAL;

Index: src/sys/net/if.c
diff -u src/sys/net/if.c:1.505 src/sys/net/if.c:1.506
--- src/sys/net/if.c:1.505	Sun May 22 11:27:36 2022
+++ src/sys/net/if.c	Thu Jul  7 18:17:33 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: if.c,v 1.505 2022/05/22 11:27:36 andvar Exp $	*/
+/*	$NetBSD: if.c,v 1.506 2022/07/07 18:17:33 riastradh Exp $	*/
 
 /*-
  * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.505 2022/05/22 11:27:36 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.506 2022/07/07 18:17:33 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -3450,6 +3450,9 @@ doifioctl(struct socket *so, u_long cmd,
 		}
 	}
 
+	if ((cmd & IOC_IN) == 0 || IOCPARM_LEN(cmd) < sizeof(ifr->ifr_name))
+		return EINVAL;
+
 	bound = curlwp_bind();
 	ifp = if_get(ifr->ifr_name, &psref);
 	if (ifp == NULL) {

CVS commit: src/sys

Reply via email to