From owner-svn-src-all@freebsd.org Fri Dec 8 15:23:18 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5C4EE8605A; Fri, 8 Dec 2017 15:23:18 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8DCAB76115; Fri, 8 Dec 2017 15:23:18 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vB8FNH8N079878; Fri, 8 Dec 2017 15:23:17 GMT (envelope-from hselasky@FreeBSD.org) Received: (from hselasky@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vB8FNHjY079874; Fri, 8 Dec 2017 15:23:17 GMT (envelope-from hselasky@FreeBSD.org) Message-Id: <201712081523.vB8FNHjY079874@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: hselasky set sender to hselasky@FreeBSD.org using -f From: Hans Petter Selasky Date: Fri, 8 Dec 2017 15:23:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r326691 - in stable/11: share/man/man4 sys/net X-SVN-Group: stable-11 X-SVN-Commit-Author: hselasky X-SVN-Commit-Paths: in stable/11: share/man/man4 sys/net X-SVN-Commit-Revision: 326691 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2017 15:23:18 -0000 Author: hselasky Date: Fri Dec 8 15:23:17 2017 New Revision: 326691 URL: https://svnweb.freebsd.org/changeset/base/326691 Log: MFC r326362: Disallow TUN and TAP character device IOCTLs to modify the network device type to any value. This can cause page faults and panics due to accessing uninitialized fields in the "struct ifnet" which are specific to the network device type. Found by: jau@iki.fi PR: 223767 Sponsored by: Mellanox Technologies Modified: stable/11/share/man/man4/tap.4 stable/11/share/man/man4/tun.4 stable/11/sys/net/if_tap.c stable/11/sys/net/if_tun.c Directory Properties: stable/11/ (props changed) Modified: stable/11/share/man/man4/tap.4 ============================================================================== --- stable/11/share/man/man4/tap.4 Fri Dec 8 10:50:13 2017 (r326690) +++ stable/11/share/man/man4/tap.4 Fri Dec 8 15:23:17 2017 (r326691) @@ -1,7 +1,7 @@ .\" $FreeBSD$ .\" Based on PR#2411 .\" -.Dd April 10, 2015 +.Dd November 29, 2017 .Dt TAP 4 .Os .Sh NAME @@ -171,7 +171,14 @@ calls are supported .In net/if_tap.h ) : .Bl -tag -width VMIO_SIOCSETMACADDR .It Dv TAPSIFINFO -Set network interface information (line speed, MTU and type). +Set network interface information (line speed and MTU). +The type must be the same as returned by +.Dv TAPGIFINFO +or set to +.Dv IFT_ETHER +else the +.Xr ioctl 2 +call will fail. The argument should be a pointer to a .Va struct tapinfo . .It Dv TAPGIFINFO Modified: stable/11/share/man/man4/tun.4 ============================================================================== --- stable/11/share/man/man4/tun.4 Fri Dec 8 10:50:13 2017 (r326690) +++ stable/11/share/man/man4/tun.4 Fri Dec 8 15:23:17 2017 (r326691) @@ -2,7 +2,7 @@ .\" $FreeBSD$ .\" Based on PR#2411 .\" -.Dd November 30, 2014 +.Dd November 29, 2017 .Dt TUN 4 .Os .Sh NAME @@ -208,8 +208,15 @@ this stores the internal debugging variable's value in .It Dv TUNSIFINFO The argument should be a pointer to an .Vt struct tuninfo -and allows setting the MTU, the type, and the baudrate of the tunnel +and allows setting the MTU and the baudrate of the tunnel device. +The type must be the same as returned by +.Dv TUNGIFINFO +or set to +.Dv IFT_PPP +else the +.Xr ioctl 2 +call will fail. The .Vt struct tuninfo is declared in Modified: stable/11/sys/net/if_tap.c ============================================================================== --- stable/11/sys/net/if_tap.c Fri Dec 8 10:50:13 2017 (r326690) +++ stable/11/sys/net/if_tap.c Fri Dec 8 15:23:17 2017 (r326691) @@ -735,9 +735,10 @@ tapioctl(struct cdev *dev, u_long cmd, caddr_t data, i switch (cmd) { case TAPSIFINFO: tapp = (struct tapinfo *)data; + if (ifp->if_type != tapp->type) + return (EPROTOTYPE); mtx_lock(&tp->tap_mtx); ifp->if_mtu = tapp->mtu; - ifp->if_type = tapp->type; ifp->if_baudrate = tapp->baudrate; mtx_unlock(&tp->tap_mtx); break; Modified: stable/11/sys/net/if_tun.c ============================================================================== --- stable/11/sys/net/if_tun.c Fri Dec 8 10:50:13 2017 (r326690) +++ stable/11/sys/net/if_tun.c Fri Dec 8 15:23:17 2017 (r326691) @@ -676,9 +676,10 @@ tunioctl(struct cdev *dev, u_long cmd, caddr_t data, i if (error) return (error); } + if (TUN2IFP(tp)->if_type != tunp->type) + return (EPROTOTYPE); mtx_lock(&tp->tun_mtx); TUN2IFP(tp)->if_mtu = tunp->mtu; - TUN2IFP(tp)->if_type = tunp->type; TUN2IFP(tp)->if_baudrate = tunp->baudrate; mtx_unlock(&tp->tun_mtx); break;