c4d9a19be3
transmission which could be tricked into rounding up to the nearest page size, leaking up to a page of kernel memory. [13:11] In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather than pass them on to the link layer without validation or credential checks. [SA-13:12] Prevent cross-mount hardlinks between different nullfs mounts of the same underlying filesystem. [SA-13:13] Security: CVE-2013-5666 Security: FreeBSD-SA-13:11.sendfile Security: CVE-2013-5691 Security: FreeBSD-SA-13:12.ifioctl Security: CVE-2013-5710 Security: FreeBSD-SA-13:13.nullfs Approved by: so
89 lines
2.8 KiB
Diff
89 lines
2.8 KiB
Diff
Index: sys/net/if.c
|
|
===================================================================
|
|
--- sys/net/if.c (revision 254941)
|
|
+++ sys/net/if.c (working copy)
|
|
@@ -2553,11 +2553,23 @@
|
|
CURVNET_RESTORE();
|
|
return (EOPNOTSUPP);
|
|
}
|
|
+
|
|
+ /*
|
|
+ * Pass the request on to the socket control method, and if the
|
|
+ * latter returns EOPNOTSUPP, directly to the interface.
|
|
+ *
|
|
+ * Make an exception for the legacy SIOCSIF* requests. Drivers
|
|
+ * trust SIOCSIFADDR et al to come from an already privileged
|
|
+ * layer, and do not perform any credentials checks or input
|
|
+ * validation.
|
|
+ */
|
|
#ifndef COMPAT_43
|
|
error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
|
|
data,
|
|
ifp, td));
|
|
- if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
|
|
+ if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
|
|
+ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
|
|
+ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
|
|
error = (*ifp->if_ioctl)(ifp, cmd, data);
|
|
#else
|
|
{
|
|
@@ -2601,7 +2613,9 @@
|
|
data,
|
|
ifp, td));
|
|
if (error == EOPNOTSUPP && ifp != NULL &&
|
|
- ifp->if_ioctl != NULL)
|
|
+ ifp->if_ioctl != NULL &&
|
|
+ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
|
|
+ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
|
|
error = (*ifp->if_ioctl)(ifp, cmd, data);
|
|
switch (ocmd) {
|
|
|
|
Index: sys/netinet6/in6.c
|
|
===================================================================
|
|
--- sys/netinet6/in6.c (revision 254941)
|
|
+++ sys/netinet6/in6.c (working copy)
|
|
@@ -431,6 +431,18 @@
|
|
case SIOCGIFSTAT_ICMP6:
|
|
sa6 = &ifr->ifr_addr;
|
|
break;
|
|
+ case SIOCSIFADDR:
|
|
+ case SIOCSIFBRDADDR:
|
|
+ case SIOCSIFDSTADDR:
|
|
+ case SIOCSIFNETMASK:
|
|
+ /*
|
|
+ * Although we should pass any non-INET6 ioctl requests
|
|
+ * down to driver, we filter some legacy INET requests.
|
|
+ * Drivers trust SIOCSIFADDR et al to come from an already
|
|
+ * privileged layer, and do not perform any credentials
|
|
+ * checks or input validation.
|
|
+ */
|
|
+ return (EINVAL);
|
|
default:
|
|
sa6 = NULL;
|
|
break;
|
|
Index: sys/netnatm/natm.c
|
|
===================================================================
|
|
--- sys/netnatm/natm.c (revision 254941)
|
|
+++ sys/netnatm/natm.c (working copy)
|
|
@@ -339,6 +339,21 @@
|
|
npcb = (struct natmpcb *)so->so_pcb;
|
|
KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
|
|
|
|
+ switch (cmd) {
|
|
+ case SIOCSIFADDR:
|
|
+ case SIOCSIFBRDADDR:
|
|
+ case SIOCSIFDSTADDR:
|
|
+ case SIOCSIFNETMASK:
|
|
+ /*
|
|
+ * Although we should pass any non-ATM ioctl requests
|
|
+ * down to driver, we filter some legacy INET requests.
|
|
+ * Drivers trust SIOCSIFADDR et al to come from an already
|
|
+ * privileged layer, and do not perform any credentials
|
|
+ * checks or input validation.
|
|
+ */
|
|
+ return (EINVAL);
|
|
+ }
|
|
+
|
|
if (ifp == NULL || ifp->if_ioctl == NULL)
|
|
return (EOPNOTSUPP);
|
|
return ((*ifp->if_ioctl)(ifp, cmd, arg));
|