git: 5e67ca45e9a3 - releng/12.3 - netmap: Fix TOCTOU vulnerability in nmreq_copyin
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Apr 2022 03:04:46 UTC
The branch releng/12.3 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=5e67ca45e9a37180783f93faf0801c5c86366b9f
commit 5e67ca45e9a37180783f93faf0801c5c86366b9f
Author: Vincenzo Maffione <vmaffione@FreeBSD.org>
AuthorDate: 2022-04-05 23:20:34 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-05 23:20:34 +0000
netmap: Fix TOCTOU vulnerability in nmreq_copyin
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.
Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
Security: CVE-2022-23084
MFC after: 3 days
(cherry picked from commit 393729916564ed13f966e09129a24e6931898d12)
(cherry picked from commit 6fa8af618475024262fc99b0f0e6c2aa0e1340fe)
Approved by: so
Security: FreeBSD-SA-22:04.netmap
---
sys/dev/netmap/netmap.c | 51 +++++++++++++++++--------------------------------
1 file changed, 17 insertions(+), 34 deletions(-)
diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c
index cefc72c60817..52c7987f32fe 100644
--- a/sys/dev/netmap/netmap.c
+++ b/sys/dev/netmap/netmap.c
@@ -3086,11 +3086,10 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size)
int
nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
{
- size_t rqsz, optsz, bufsz, optbodysz;
+ size_t rqsz, optsz, bufsz;
int error = 0;
char *ker = NULL, *p;
struct nmreq_option **next, *src, **opt_tab;
- struct nmreq_option buf;
uint64_t *ptrs;
if (hdr->nr_reserved) {
@@ -3120,39 +3119,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
goto out_err;
}
- bufsz = 2 * sizeof(void *) + rqsz +
- NETMAP_REQ_OPT_MAX * sizeof(opt_tab);
- /* compute the size of the buf below the option table.
- * It must contain a copy of every received option structure.
- * For every option we also need to store a copy of the user
- * list pointer.
+ /*
+ * The buffer size must be large enough to store the request body,
+ * all the possible options and the additional user pointers
+ * (2+NETMAP_REQ_OPT_MAX). Note that the maximum size of body plus
+ * options can not exceed NETMAP_REQ_MAXSIZE;
*/
- optsz = 0;
- for (src = (struct nmreq_option *)(uintptr_t)hdr->nr_options; src;
- src = (struct nmreq_option *)(uintptr_t)buf.nro_next)
- {
- error = copyin(src, &buf, sizeof(*src));
- if (error)
- goto out_err;
- /* Validate nro_size to avoid integer overflow of optsz and bufsz. */
- if (buf.nro_size > NETMAP_REQ_MAXSIZE) {
- error = EMSGSIZE;
- goto out_err;
- }
- optsz += sizeof(*src);
- optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size);
- if (optbodysz > NETMAP_REQ_MAXSIZE) {
- error = EMSGSIZE;
- goto out_err;
- }
- optsz += optbodysz;
- if (rqsz + optsz > NETMAP_REQ_MAXSIZE) {
- error = EMSGSIZE;
- goto out_err;
- }
- bufsz += sizeof(void *);
- }
- bufsz += optsz;
+ bufsz = (2 + NETMAP_REQ_OPT_MAX) * sizeof(void *) + NETMAP_REQ_MAXSIZE +
+ NETMAP_REQ_OPT_MAX * sizeof(opt_tab);
ker = nm_os_malloc(bufsz);
if (ker == NULL) {
@@ -3190,6 +3164,7 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
error = copyin(src, opt, sizeof(*src));
if (error)
goto out_restore;
+ rqsz += sizeof(*src);
/* make a copy of the user next pointer */
*ptrs = opt->nro_next;
/* overwrite the user pointer with the in-kernel one */
@@ -3233,6 +3208,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
/* copy the option body */
optsz = nmreq_opt_size_by_type(opt->nro_reqtype,
opt->nro_size);
+ /* check optsz and nro_size to avoid for possible integer overflows of rqsz */
+ if ((optsz > NETMAP_REQ_MAXSIZE) || (opt->nro_size > NETMAP_REQ_MAXSIZE)
+ || (rqsz + optsz > NETMAP_REQ_MAXSIZE)
+ || (optsz > 0 && rqsz + optsz <= rqsz)) {
+ error = EMSGSIZE;
+ goto out_restore;
+ }
+ rqsz += optsz;
if (optsz) {
/* the option body follows the option header */
error = copyin(src + 1, p, optsz);