From nobody Wed Apr 06 03:04:13 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 273AC1A8470F;
	Wed,  6 Apr 2022 03:04:15 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KY8Vk33HTz4dbj;
	Wed,  6 Apr 2022 03:04:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1649214254;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KIV8IKdkmZFGD6H44YfuvD+s1FhFI0ye/9lIOw2rtXI=;
	b=DCqt14xilgjK5nAsBYu5dDXGGUe/+W7xy/EqHeTyEEns9xN3IciiTpfudcS5H/HXYEgPpl
	c+1d3FoS2yjCL8A2Yv8sPoPG6GFmY0QMRLWZevlI3ztSX7J5qXWbxum+HIoxkjP1w5MxTo
	sG1f4CUivbzv/yKAowFttJGdqVrhsBI0QAHiR/I6qdFXm75114qqi0i9iCRews5MlnwdtU
	Xd4RTMIFQwRqA7yJUZNP1z4J1rNFGhlRB842pTMlLBq0dc4WYmSbDsqpFcxxUNoEBLujTV
	mCwZUBhXtaBakxHz6oVCMLD947szxr/eu2XzQ0Yl63WT1OT/aMzS08AQF7V2Dg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 092FA133B5;
	Wed,  6 Apr 2022 03:04:14 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23634D1L034736;
	Wed, 6 Apr 2022 03:04:13 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23634DWD034735;
	Wed, 6 Apr 2022 03:04:13 GMT
	(envelope-from git)
Date: Wed, 6 Apr 2022 03:04:13 GMT
Message-Id: <202204060304.23634DWD034735@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 4996f46e03a4 - releng/13.0 - netmap: Fix TOCTOU vulnerability in nmreq_copyin
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.0
X-Git-Reftype: branch
X-Git-Commit: 4996f46e03a442765c56b562c04c6e3ceae0104c
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1649214254;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=KIV8IKdkmZFGD6H44YfuvD+s1FhFI0ye/9lIOw2rtXI=;
	b=WLufH8DVD4oFHYGvwbpz0y1CyxDNkNR8VYFO11+M5Dt/PYeFMSzoAAC3kAQ2gnwMc85MEu
	R9z73Vj2g+dVPPFm0fUrkb+jrfvtoyKvqKnqQ32v1alPhlumWvaxVk87Vp2PwZzO3USBAR
	Td8lZZKBlo5+dXPCno0qC6TiHhWWGin04Yqi62KnBCPpphZoDHxYEzRD/1aVAjVLR8egtN
	DSHmdizACOBBuauhVuxA0xUqLkof4Kz/q+vGi3ln9XdB9Dq3Nrpz9S7ffGsx5YbyVgxLf6
	77nGwaIx+16ZKnAQEEilVUAcZAKUWwZc9c0Z2RZS4riEQHcb8yEhm74TL/x6Jw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649214254; a=rsa-sha256; cv=none;
	b=BCwc0dnaIaHGREhiaE3irel2MrFljfmDOhoqPWqOa5nOuR6zS+bPrb396UKdLSAdtEXnMI
	o3XqCj0SOuI4TAO+XBudxETJ+CQnaH6QbJ5DIR59vkotJa5XwUk+yZJ1s4aqEktZ/vcfFp
	mnfCK3lGqYPxamXWgyUQESrcsa5tWWh6W4Y4To0W85P0crcG8CVupXGIOacgO/TJgckpAV
	vJdgm5rc5f/0dOpSRxRFLZl3bInQ2PilCFew5Z6Uptk2O8XVdQ5vOHIwGufUBaCRfxCdmA
	YLvdR1UICm6Z5vSOOFFuNE5hW97ByJBOg3p42R7PumpAflaboZYwqNCIBvrN4w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch releng/13.0 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=4996f46e03a442765c56b562c04c6e3ceae0104c

commit 4996f46e03a442765c56b562c04c6e3ceae0104c
Author:     Vincenzo Maffione <vmaffione@FreeBSD.org>
AuthorDate: 2022-04-05 23:26:02 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-05 23:26:02 +0000

    netmap: Fix TOCTOU vulnerability in nmreq_copyin
    
    The total size of the user-provided nmreq was first computed and then
    trusted during the copyin. This might lead to kernel memory corruption
    and escape from jails/containers.
    
    Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
    Security: CVE-2022-23084
    MFC after:      3 days
    
    (cherry picked from commit 393729916564ed13f966e09129a24e6931898d12)
    (cherry picked from commit 9f600a260a738d87015b2e9722b7b4f228cbd47d)
    
    Approved by:    so
    Security:       FreeBSD-SA-22:04.netmap
---
 sys/dev/netmap/netmap.c | 51 +++++++++++++++++--------------------------------
 1 file changed, 17 insertions(+), 34 deletions(-)

diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c
index c635c3d66314..05bab2e822d6 100644
--- a/sys/dev/netmap/netmap.c
+++ b/sys/dev/netmap/netmap.c
@@ -3096,11 +3096,10 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size)
 int
 nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
 {
-	size_t rqsz, optsz, bufsz, optbodysz;
+	size_t rqsz, optsz, bufsz;
 	int error = 0;
 	char *ker = NULL, *p;
 	struct nmreq_option **next, *src, **opt_tab;
-	struct nmreq_option buf;
 	uint64_t *ptrs;
 
 	if (hdr->nr_reserved) {
@@ -3130,39 +3129,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
 		goto out_err;
 	}
 
-	bufsz = 2 * sizeof(void *) + rqsz +
-		NETMAP_REQ_OPT_MAX * sizeof(opt_tab);
-	/* compute the size of the buf below the option table.
-	 * It must contain a copy of every received option structure.
-	 * For every option we also need to store a copy of the user
-	 * list pointer.
+	/*
+	 * The buffer size must be large enough to store the request body,
+	 * all the possible options and the additional user pointers
+	 * (2+NETMAP_REQ_OPT_MAX). Note that the maximum size of body plus
+	 * options can not exceed NETMAP_REQ_MAXSIZE;
 	 */
-	optsz = 0;
-	for (src = (struct nmreq_option *)(uintptr_t)hdr->nr_options; src;
-	     src = (struct nmreq_option *)(uintptr_t)buf.nro_next)
-	{
-		error = copyin(src, &buf, sizeof(*src));
-		if (error)
-			goto out_err;
-		/* Validate nro_size to avoid integer overflow of optsz and bufsz. */
-		if (buf.nro_size > NETMAP_REQ_MAXSIZE) {
-			error = EMSGSIZE;
-			goto out_err;
-		}
-		optsz += sizeof(*src);
-		optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size);
-		if (optbodysz > NETMAP_REQ_MAXSIZE) {
-			error = EMSGSIZE;
-			goto out_err;
-		}
-		optsz += optbodysz;
-		if (rqsz + optsz > NETMAP_REQ_MAXSIZE) {
-			error = EMSGSIZE;
-			goto out_err;
-		}
-		bufsz += sizeof(void *);
-	}
-	bufsz += optsz;
+	bufsz = (2 + NETMAP_REQ_OPT_MAX) * sizeof(void *) + NETMAP_REQ_MAXSIZE +
+		NETMAP_REQ_OPT_MAX * sizeof(opt_tab);
 
 	ker = nm_os_malloc(bufsz);
 	if (ker == NULL) {
@@ -3200,6 +3174,7 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
 		error = copyin(src, opt, sizeof(*src));
 		if (error)
 			goto out_restore;
+		rqsz += sizeof(*src);
 		/* make a copy of the user next pointer */
 		*ptrs = opt->nro_next;
 		/* overwrite the user pointer with the in-kernel one */
@@ -3243,6 +3218,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
 		/* copy the option body */
 		optsz = nmreq_opt_size_by_type(opt->nro_reqtype,
 						opt->nro_size);
+		/* check optsz and nro_size to avoid for possible integer overflows of rqsz */
+		if ((optsz > NETMAP_REQ_MAXSIZE) || (opt->nro_size > NETMAP_REQ_MAXSIZE)
+				|| (rqsz + optsz > NETMAP_REQ_MAXSIZE)
+				|| (optsz > 0 && rqsz + optsz <= rqsz)) {
+			error = EMSGSIZE;
+			goto out_restore;
+		}
+		rqsz += optsz;
 		if (optsz) {
 			/* the option body follows the option header */
 			error = copyin(src + 1, p, optsz);