diff options
author | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2022-04-06 02:20:34 +0300 |
---|---|---|
committer | Ed Maste <emaste@FreeBSD.org> | 2022-04-06 02:20:34 +0300 |
commit | 5e67ca45e9a37180783f93faf0801c5c86366b9f (patch) | |
tree | 20024e63aaee47da1518da7ce4202c661a6d008f | |
parent | 0d1f1dc951c667f9d993acba42358d115997564e (diff) |
netmap: Fix TOCTOU vulnerability in nmreq_copyin
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.
Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
Security: CVE-2022-23084
MFC after: 3 days
(cherry picked from commit 393729916564ed13f966e09129a24e6931898d12)
(cherry picked from commit 6fa8af618475024262fc99b0f0e6c2aa0e1340fe)
Approved by: so
Security: FreeBSD-SA-22:04.netmap
-rw-r--r-- | sys/dev/netmap/netmap.c | 51 |
1 files changed, 17 insertions, 34 deletions
diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index cefc72c60817..52c7987f32fe 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -3086,11 +3086,10 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size) int nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) { - size_t rqsz, optsz, bufsz, optbodysz; + size_t rqsz, optsz, bufsz; int error = 0; char *ker = NULL, *p; struct nmreq_option **next, *src, **opt_tab; - struct nmreq_option buf; uint64_t *ptrs; if (hdr->nr_reserved) { @@ -3120,39 +3119,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) goto out_err; } - bufsz = 2 * sizeof(void *) + rqsz + - NETMAP_REQ_OPT_MAX * sizeof(opt_tab); - /* compute the size of the buf below the option table. - * It must contain a copy of every received option structure. - * For every option we also need to store a copy of the user - * list pointer. + /* + * The buffer size must be large enough to store the request body, + * all the possible options and the additional user pointers + * (2+NETMAP_REQ_OPT_MAX). Note that the maximum size of body plus + * options can not exceed NETMAP_REQ_MAXSIZE; */ - optsz = 0; - for (src = (struct nmreq_option *)(uintptr_t)hdr->nr_options; src; - src = (struct nmreq_option *)(uintptr_t)buf.nro_next) - { - error = copyin(src, &buf, sizeof(*src)); - if (error) - goto out_err; - /* Validate nro_size to avoid integer overflow of optsz and bufsz. */ - if (buf.nro_size > NETMAP_REQ_MAXSIZE) { - error = EMSGSIZE; - goto out_err; - } - optsz += sizeof(*src); - optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); - if (optbodysz > NETMAP_REQ_MAXSIZE) { - error = EMSGSIZE; - goto out_err; - } - optsz += optbodysz; - if (rqsz + optsz > NETMAP_REQ_MAXSIZE) { - error = EMSGSIZE; - goto out_err; - } - bufsz += sizeof(void *); - } - bufsz += optsz; + bufsz = (2 + NETMAP_REQ_OPT_MAX) * sizeof(void *) + NETMAP_REQ_MAXSIZE + + NETMAP_REQ_OPT_MAX * sizeof(opt_tab); ker = nm_os_malloc(bufsz); if (ker == NULL) { @@ -3190,6 +3164,7 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) error = copyin(src, opt, sizeof(*src)); if (error) goto out_restore; + rqsz += sizeof(*src); /* make a copy of the user next pointer */ *ptrs = opt->nro_next; /* overwrite the user pointer with the in-kernel one */ @@ -3233,6 +3208,14 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) /* copy the option body */ optsz = nmreq_opt_size_by_type(opt->nro_reqtype, opt->nro_size); + /* check optsz and nro_size to avoid for possible integer overflows of rqsz */ + if ((optsz > NETMAP_REQ_MAXSIZE) || (opt->nro_size > NETMAP_REQ_MAXSIZE) + || (rqsz + optsz > NETMAP_REQ_MAXSIZE) + || (optsz > 0 && rqsz + optsz <= rqsz)) { + error = EMSGSIZE; + goto out_restore; + } + rqsz += optsz; if (optsz) { /* the option body follows the option header */ error = copyin(src + 1, p, optsz); |