From nobody Wed Apr 06 03:04:46 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D58741A85152; Wed, 6 Apr 2022 03:04:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY8WM2LkWz4drZ; Wed, 6 Apr 2022 03:04:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214287; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7UPKyUB3b0OqF/s7mPfQjbFXSBUFenWYGi6bkE57uq8=; b=pN0Mf4nM6JUoFS34lo9/B6QYsOGGR/TNZXOCFNLlot68mH9ocd2xj/WPbcpv+7M8pZYPIi f6AbBXyetBSEbLRWhjWQ8FwZ2QRjewsfjeldDutCQk8STqRc/gHNNBpQGxZdouxku7HJi1 FVPoHwvYCqkNFvH/MLjPHOrRmt4sN1Gfv5MX5d0HuMqkEQ/DTVPFghsRLFYtgzy1MxBLvp kEEuEAX8e6PPhGL90scgyg2MUAY5uv72I8Hqg8Mvc7YCCYcDs89Oh2GPLAKp8anhzBGw6w 2RgN7SwJnBeKjAcxQmU8TyqyfDHXMtGZtTCoiF8FmsNIYcFaNZyB/hrKDGu86A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E8B611352B; Wed, 6 Apr 2022 03:04:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23634kqF035129; Wed, 6 Apr 2022 03:04:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23634kgw035128; Wed, 6 Apr 2022 03:04:46 GMT (envelope-from git) Date: Wed, 6 Apr 2022 03:04:46 GMT Message-Id: <202204060304.23634kgw035128@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 5e67ca45e9a3 - releng/12.3 - netmap: Fix TOCTOU vulnerability in nmreq_copyin List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/12.3 X-Git-Reftype: branch X-Git-Commit: 5e67ca45e9a37180783f93faf0801c5c86366b9f Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214287; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7UPKyUB3b0OqF/s7mPfQjbFXSBUFenWYGi6bkE57uq8=; b=ZqQRwXNhzndSZBfNn/rWsClRBSfxXk0Ugb383hoVOVKpCBfvk+SWx5/Lx+c0LFFGE35cTc OhXmqgLF6YfVPKGM+jT4gHr4qgGWPrFZxgNFzvsuJWGa12oESc3RabPerRioJJtUa+Q+rZ T7jJIye3a4Em2q98wCPVxy63668vDMbZ7qZ2ACZXN+41vS2q2S0Bygji6BJc1aUoUjLkrC Bwr99qWXQho1+Cb6tZS0HOmK15fubokmo2h6Dvm08VenZ0kRnn8aJxgfgsSba70HJwcl2z YrGP5r8EDWwSwKU02MrRNeBR1Reb35uoCwo5QiVAZfPTVdg73it+Lc+n/c9fhg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649214287; a=rsa-sha256; cv=none; b=OcJ/rL0zOVdJQRz4pcZlYgm9Eb8SII2y3XSh2eEWTwYrMpj4f9p56rJahV2jJtFRIICH4w MJ6ys57H0G1wIkzXExc2N/EN4xXBjm53FYP2CwYTW8tgM7CjecBcd2DMyr/zMRJjwMUyK0 ZHCcHdADYsi6jfYamLpKn11VCGoLKgCKKivRDDFlMdyH2bO9tR3dPLnRvZOWxe4mwYQ4sx d1hPKejIzAD6RQ/UO0NZU3Bvwt7w4PrBDMUaeoobu+v9fEC5drFO7/jeNHiy4fdzlJrQBW sWd6VqyRXM54QiFeqpYv9YZvKPno11XNRRLWKmchJXixKiBQfKlqHzJ12hmFGA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/12.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=5e67ca45e9a37180783f93faf0801c5c86366b9f commit 5e67ca45e9a37180783f93faf0801c5c86366b9f Author: Vincenzo Maffione AuthorDate: 2022-04-05 23:20:34 +0000 Commit: Ed Maste CommitDate: 2022-04-05 23:20:34 +0000 netmap: Fix TOCTOU vulnerability in nmreq_copyin The total size of the user-provided nmreq was first computed and then trusted during the copyin. This might lead to kernel memory corruption and escape from jails/containers. Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23084 MFC after: 3 days (cherry picked from commit 393729916564ed13f966e09129a24e6931898d12) (cherry picked from commit 6fa8af618475024262fc99b0f0e6c2aa0e1340fe) Approved by: so Security: FreeBSD-SA-22:04.netmap --- sys/dev/netmap/netmap.c | 51 +++++++++++++++++-------------------------------- 1 file changed, 17 insertions(+), 34 deletions(-) diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index cefc72c60817..52c7987f32fe 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -3086,11 +3086,10 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size) int nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) { - size_t rqsz, optsz, bufsz, optbodysz; + size_t rqsz, optsz, bufsz; int error = 0; char *ker = NULL, *p; struct nmreq_option **next, *src, **opt_tab; - struct nmreq_option buf; uint64_t *ptrs; if (hdr->nr_reserved) { @@ -3120,39 +3119,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) goto out_err; } - bufsz = 2 * sizeof(void *) + rqsz + - NETMAP_REQ_OPT_MAX * sizeof(opt_tab); - /* compute the size of the buf below the option table. - * It must contain a copy of every received option structure. - * For every option we also need to store a copy of the user - * list pointer. + /* + * The buffer size must be large enough to store the request body, + * all the possible options and the additional user pointers + * (2+NETMAP_REQ_OPT_MAX). Note that the maximum size of body plus + * options can not exceed NETMAP_REQ_MAXSIZE; */ - optsz = 0; - for (src = (struct nmreq_option *)(uintptr_t)hdr->nr_options; src; - src = (struct nmreq_option *)(uintptr_t)buf.nro_next) - { - error = copyin(src, &buf, sizeof(*src)); - if (error) - goto out_err; - /* Validate nro_size to avoid integer overflow of optsz and bufsz. */ - if (buf.nro_size > NETMAP_REQ_MAXSIZE) { - error = EMSGSIZE; - goto out_err; - } - optsz += sizeof(*src); - optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); - if (optbodysz > NETMAP_REQ_MAXSIZE) { - error = EMSGSIZE; - goto out_err; - } - optsz += optbodysz; - if (rqsz + optsz > NETMAP_REQ_MAXSIZE) { - error = EMSGSIZE; - goto out_err; - } - bufsz += sizeof(void *); - } - bufsz += optsz; + bufsz = (2 + NETMAP_REQ_OPT_MAX) * sizeof(void *) + NETMAP_REQ_MAXSIZE + + NETMAP_REQ_OPT_MAX * sizeof(opt_tab); ker = nm_os_malloc(bufsz); if (ker == NULL) { @@ -3190,6 +3164,7 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) error = copyin(src, opt, sizeof(*src)); if (error) goto out_restore; + rqsz += sizeof(*src); /* make a copy of the user next pointer */ *ptrs = opt->nro_next; /* overwrite the user pointer with the in-kernel one */ @@ -3233,6 +3208,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) /* copy the option body */ optsz = nmreq_opt_size_by_type(opt->nro_reqtype, opt->nro_size); + /* check optsz and nro_size to avoid for possible integer overflows of rqsz */ + if ((optsz > NETMAP_REQ_MAXSIZE) || (opt->nro_size > NETMAP_REQ_MAXSIZE) + || (rqsz + optsz > NETMAP_REQ_MAXSIZE) + || (optsz > 0 && rqsz + optsz <= rqsz)) { + error = EMSGSIZE; + goto out_restore; + } + rqsz += optsz; if (optsz) { /* the option body follows the option header */ error = copyin(src + 1, p, optsz);