From nobody Tue Jan 14 10:58:26 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YXR1v5nkTz5kX3y; Tue, 14 Jan 2025 10:58:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YXR1v0Mg4z3Kgk; Tue, 14 Jan 2025 10:58:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736852307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GhCdHLHV6FLbqziIBB4vxDEI6AsmqF6YMf4GlTGRLug=; b=ZSWtmkb2jcfZ8OUpM7+z8g8VYVPN+LNsr8YTjqf4QabB7j3kPjnXTiNJhLVUU20j4mP9hr dn8vnZO8GIIHkZK8pMvW6TLwWcHJXjw07rUF14FtMkRIuYWx+DIQZsCmsMZlqA5MoZ/v8R oIv1iZIjv206OxIVtqJ4s4xhIIrNCpfNTDW76/o6ONYUbgFcRTEwmEAMTtwzugWTZuqEVR KeDS6TCzHEDMMZmXiel4VlArTPmckxzv8Hks9iLphFHN+cKYhgBSUiMFEiujHGU7UTTIBD i9sbWbYmyXhn4aUyyjRtj6oQNtTWCGZDpnEtlnOTVsplB2uu/kMf/ERJ3MwXjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736852307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GhCdHLHV6FLbqziIBB4vxDEI6AsmqF6YMf4GlTGRLug=; b=Tdw8gAd901IMjEO1asej+kfPoAYZf3zIE4uTOpbu3D/kYMC6fsklj3sOT3o5nc4ka/ezz1 a8rBgRNt5fvqsa99imDlCNLLN+sIihSFnynnT6IdlDNJLHmE2/I7mP65uddWsE+98BFo7Z zDYLXWgOwi574EGZeJrD3ENbUjAbdis6tSkbpVj9+1JEtlt3BG+6NTxYYByMJdQuaPajL5 6LBSQj20Do5IpT2Kin/vlGguXrACrzuwQfyNA1hAYIqRBQrb+mQYNtA2Asp92e97whLp8n nZkODO0zBGrdEfDJpW2J22rIhavPjb+rrNgDUOQH1s2Iprj6Oo1P+OjmV1HfFQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1736852307; a=rsa-sha256; cv=none; b=NBGwEWuSjMU7oIDIq7XuTTPh1z2S0NquJiK1iCpdXYYSaSb/wz3Hd4FE92ustXLuiDX1o6 28koMIWjWlcjPbuod8kNk74CxvEngW7TNxDyFu69aLZRO19nBb9JhQVtd0vjYdTWTAIgOF CgpNlq4/92BG/p386mJSupUkLc6jz8Bt4504txANtNgv3F0BssdMd8HtVhpWDZn55B+11v WLYyUPZ32631rmWTyQDwk/K92LbXZCKPGIf36n1FxEpj4So+qzzFl5QLTDi2qi/RcQ3h4W eIzBbujuGoN5ZNkUuiIyiEBMXujnEu9WPVSFBcByRxZamRVhzaRAHU30+VAVMw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YXR1t6Ykdz1Cnp; Tue, 14 Jan 2025 10:58:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50EAwQco085583; Tue, 14 Jan 2025 10:58:26 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50EAwQ3X085580; Tue, 14 Jan 2025 10:58:26 GMT (envelope-from git) Date: Tue, 14 Jan 2025 10:58:26 GMT Message-Id: <202501141058.50EAwQ3X085580@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Zhenlei Huang Subject: git: 08ec14fecf6a - stable/13 - sppp: Fix getting wrong spppreq cmd from ioctl List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: zlei X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 08ec14fecf6a93c0321c31ba1f0b04db6b888f16 Auto-Submitted: auto-generated The branch stable/13 has been updated by zlei: URL: https://cgit.FreeBSD.org/src/commit/?id=08ec14fecf6a93c0321c31ba1f0b04db6b888f16 commit 08ec14fecf6a93c0321c31ba1f0b04db6b888f16 Author: Zhenlei Huang AuthorDate: 2025-01-14 10:56:49 +0000 Commit: Zhenlei Huang CommitDate: 2025-01-14 10:56:49 +0000 sppp: Fix getting wrong spppreq cmd from ioctl ifr->ifr_data is supposed to point to a struct spppreq. The first member cmd of struct spppreq is int type. It was pre-read via `fueword()` before a full fetching. Unfortunately an user space `struct spppreq spr` may not be zeroed explicitly, on 64bit architectures `fueword()` reads 64bit word thus the garbage (extra 4 bytes) may be read into kernel space (subcmd). Prior to f9d8181868ee, `subcmd` was declared as int and assigned from `fuword()` and was implicitly converted from long to int. On 64bit little endian architectures the implicitly conversion overflows (undefined bahavior) which happen to trash the garbage (the extra 4 bytes, high 32 bits) and worked, but no luck on 64bit big endian architectures. Since f9d8181868ee `subcmd` was changed to u_long then there is no conversion so we end up mismatching `subcmd` with user space's `cmd`. It is also a bit hackish to get the value of cmd via `fueword()`, instead we refer to it directly from spr->cmd. This is a direct commit to stable/13 as sppp(4) no longer exists in main and stable/14. PR: 173002 Reviewed by: glebius (previous version) Fixes: f9d8181868ee Fixed yet more ioctl breakage due to the type of ... Differential Revision: https://reviews.freebsd.org/D47335 --- sys/net/if_spppsubr.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/sys/net/if_spppsubr.c b/sys/net/if_spppsubr.c index ed198c59bbfe..269a6ef1d0da 100644 --- a/sys/net/if_spppsubr.c +++ b/sys/net/if_spppsubr.c @@ -5044,10 +5044,10 @@ sppp_suggest_ip6_addr(struct sppp *sp, struct in6_addr *suggest) static int sppp_params(struct sppp *sp, u_long cmd, void *data) { - u_long subcmd; + int subcmd __diagused; struct ifreq *ifr = (struct ifreq *)data; struct spppreq *spr; - int rv = 0; + int rv; if ((spr = malloc(sizeof(struct spppreq), M_TEMP, M_NOWAIT)) == NULL) return (EAGAIN); @@ -5056,7 +5056,7 @@ sppp_params(struct sppp *sp, u_long cmd, void *data) * Check the cmd word first before attempting to fetch all the * data. */ - rv = fueword(ifr_data_get_ptr(ifr), &subcmd); + rv = fueword32(ifr_data_get_ptr(ifr), &subcmd); if (rv == -1) { rv = EFAULT; goto quit; @@ -5067,8 +5067,9 @@ sppp_params(struct sppp *sp, u_long cmd, void *data) goto quit; } - switch (subcmd) { - case (u_long)SPPPIOGDEFS: + MPASS(subcmd == spr->cmd); + switch (spr->cmd) { + case (intptr_t)SPPPIOGDEFS: if (cmd != SIOCGIFGENERIC) { rv = EINVAL; break; @@ -5103,7 +5104,7 @@ sppp_params(struct sppp *sp, u_long cmd, void *data) sizeof(struct spppreq)); break; - case (u_long)SPPPIOSDEFS: + case (intptr_t)SPPPIOSDEFS: if (cmd != SIOCSIFGENERIC) { rv = EINVAL; break;