Date: Tue, 10 Sep 2013 10:14:19 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r255447 - in releng/8.4: . sys/conf sys/fs/nullfs sys/net sys/netinet6 sys/netnatm Message-ID: <201309101014.r8AAEJHZ002344@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Tue Sep 10 10:14:19 2013 New Revision: 255447 URL: http://svnweb.freebsd.org/changeset/base/255447 Log: In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather than pass them on to the link layer without validation or credential checks. [SA-13:12] Prevent cross-mount hardlinks between different nullfs mounts of the same underlying filesystem. [SA-13:13] Security: CVE-2013-5691 Security: FreeBSD-SA-13:12.ifioctl Security: CVE-2013-5710 Security: FreeBSD-SA-13:13.nullfs Approved by: so Modified: releng/8.4/UPDATING releng/8.4/sys/conf/newvers.sh releng/8.4/sys/fs/nullfs/null_vnops.c releng/8.4/sys/net/if.c releng/8.4/sys/netinet6/in6.c releng/8.4/sys/netnatm/natm.c Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Tue Sep 10 10:13:14 2013 (r255446) +++ releng/8.4/UPDATING Tue Sep 10 10:14:19 2013 (r255447) @@ -15,6 +15,17 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20130910: p4 FreeBSD-SA-13:12.ifioctl + FreeBSD-SA-13:13.nullfs + + In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, + SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather + than pass them on to the link layer without validation or + credential checks. [SA-13:12] + + Prevent cross-mount hardlinks between different nullfs mounts + of the same underlying filesystem. [SA-13:13] + 20130822: p3 FreeBSD-SA-13:09.ip_multicast FreeBSD-SA-13:10.sctp Fix an integer overflow in computing the size of a temporary buffer Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Tue Sep 10 10:13:14 2013 (r255446) +++ releng/8.4/sys/conf/newvers.sh Tue Sep 10 10:14:19 2013 (r255447) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.4/sys/fs/nullfs/null_vnops.c ============================================================================== --- releng/8.4/sys/fs/nullfs/null_vnops.c Tue Sep 10 10:13:14 2013 (r255446) +++ releng/8.4/sys/fs/nullfs/null_vnops.c Tue Sep 10 10:14:19 2013 (r255447) @@ -816,6 +816,15 @@ null_vptocnp(struct vop_vptocnp_args *ap return (error); } +static int +null_link(struct vop_link_args *ap) +{ + + if (ap->a_tdvp->v_mount != ap->a_vp->v_mount) + return (EXDEV); + return (null_bypass((struct vop_generic_args *)ap)); +} + /* * Global vfs data structures */ @@ -828,6 +837,7 @@ struct vop_vector null_vnodeops = { .vop_getwritemount = null_getwritemount, .vop_inactive = null_inactive, .vop_islocked = vop_stdislocked, + .vop_link = null_link, .vop_lock1 = null_lock, .vop_lookup = null_lookup, .vop_open = null_open, Modified: releng/8.4/sys/net/if.c ============================================================================== --- releng/8.4/sys/net/if.c Tue Sep 10 10:13:14 2013 (r255446) +++ releng/8.4/sys/net/if.c Tue Sep 10 10:14:19 2013 (r255447) @@ -2602,11 +2602,23 @@ ifioctl(struct socket *so, u_long cmd, c CURVNET_RESTORE(); return (EOPNOTSUPP); } + + /* + * Pass the request on to the socket control method, and if the + * latter returns EOPNOTSUPP, directly to the interface. + * + * Make an exception for the legacy SIOCSIF* requests. Drivers + * trust SIOCSIFADDR et al to come from an already privileged + * layer, and do not perform any credentials checks or input + * validation. + */ #ifndef COMPAT_43 error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd, data, ifp, td)); - if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL) + if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL && + cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && + cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) error = (*ifp->if_ioctl)(ifp, cmd, data); #else { @@ -2650,7 +2662,9 @@ ifioctl(struct socket *so, u_long cmd, c data, ifp, td)); if (error == EOPNOTSUPP && ifp != NULL && - ifp->if_ioctl != NULL) + ifp->if_ioctl != NULL && + cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && + cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) error = (*ifp->if_ioctl)(ifp, cmd, data); switch (ocmd) { Modified: releng/8.4/sys/netinet6/in6.c ============================================================================== --- releng/8.4/sys/netinet6/in6.c Tue Sep 10 10:13:14 2013 (r255446) +++ releng/8.4/sys/netinet6/in6.c Tue Sep 10 10:14:19 2013 (r255447) @@ -344,6 +344,18 @@ in6_control(struct socket *so, u_long cm case SIOCGIFSTAT_ICMP6: sa6 = &ifr->ifr_addr; break; + case SIOCSIFADDR: + case SIOCSIFBRDADDR: + case SIOCSIFDSTADDR: + case SIOCSIFNETMASK: + /* + * Although we should pass any non-INET6 ioctl requests + * down to driver, we filter some legacy INET requests. + * Drivers trust SIOCSIFADDR et al to come from an already + * privileged layer, and do not perform any credentials + * checks or input validation. + */ + return (EINVAL); default: sa6 = NULL; break; Modified: releng/8.4/sys/netnatm/natm.c ============================================================================== --- releng/8.4/sys/netnatm/natm.c Tue Sep 10 10:13:14 2013 (r255446) +++ releng/8.4/sys/netnatm/natm.c Tue Sep 10 10:14:19 2013 (r255447) @@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_lo npcb = (struct natmpcb *)so->so_pcb; KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL")); + switch (cmd) { + case SIOCSIFADDR: + case SIOCSIFBRDADDR: + case SIOCSIFDSTADDR: + case SIOCSIFNETMASK: + /* + * Although we should pass any non-ATM ioctl requests + * down to driver, we filter some legacy INET requests. + * Drivers trust SIOCSIFADDR et al to come from an already + * privileged layer, and do not perform any credentials + * checks or input validation. + */ + return (EINVAL); + } + if (ifp == NULL || ifp->if_ioctl == NULL) return (EOPNOTSUPP); return ((*ifp->if_ioctl)(ifp, cmd, arg));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201309101014.r8AAEJHZ002344>