From owner-svn-src-stable@FreeBSD.ORG  Tue Sep 10 10:12:10 2013
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 8FB7E1FA;
 Tue, 10 Sep 2013 10:12:10 +0000 (UTC) (envelope-from des@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6CC492AAE;
 Tue, 10 Sep 2013 10:12:10 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r8AACAwx001297;
 Tue, 10 Sep 2013 10:12:10 GMT (envelope-from des@svn.freebsd.org)
Received: (from des@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id r8AAC9hY001288;
 Tue, 10 Sep 2013 10:12:09 GMT (envelope-from des@svn.freebsd.org)
Message-Id: <201309101012.r8AAC9hY001288@svn.freebsd.org>
From: Dag-Erling Smørgrav <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 10:12:09 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject: svn commit: r255445 - in stable/8/sys: fs/nullfs net netinet6 netnatm
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 10:12:10 -0000

Author: des
Date: Tue Sep 10 10:12:09 2013
New Revision: 255445
URL: http://svnweb.freebsd.org/changeset/base/255445

Log:
  In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
  and SIOCSIFNETMASK at the socket layer rather than pass them on to the
  link layer without validation or credential checks.  [SA-13:12]
  
  Prevent cross-mount hardlinks between different nullfs mounts of the
  same underlying filesystem.  [SA-13:13]
  
  Security:	CVE-2013-5691
  Security:	FreeBSD-SA-13:12.ifioctl
  Security:	CVE-2013-5710
  Security:	FreeBSD-SA-13:13.nullfs
  Approved by:	so

Modified:
  stable/8/sys/fs/nullfs/null_vnops.c
  stable/8/sys/net/if.c
  stable/8/sys/netinet6/in6.c
  stable/8/sys/netnatm/natm.c

Modified: stable/8/sys/fs/nullfs/null_vnops.c
==============================================================================
--- stable/8/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:08:20 2013	(r255444)
+++ stable/8/sys/fs/nullfs/null_vnops.c	Tue Sep 10 10:12:09 2013	(r255445)
@@ -816,6 +816,15 @@ null_vptocnp(struct vop_vptocnp_args *ap
 	return (error);
 }
 
+static int
+null_link(struct vop_link_args *ap)
+{
+
+	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
+		return (EXDEV);
+	return (null_bypass((struct vop_generic_args *)ap));
+}
+
 /*
  * Global vfs data structures
  */
@@ -828,6 +837,7 @@ struct vop_vector null_vnodeops = {
 	.vop_getwritemount =	null_getwritemount,
 	.vop_inactive =		null_inactive,
 	.vop_islocked =		vop_stdislocked,
+	.vop_link =		null_link,
 	.vop_lock1 =		null_lock,
 	.vop_lookup =		null_lookup,
 	.vop_open =		null_open,

Modified: stable/8/sys/net/if.c
==============================================================================
--- stable/8/sys/net/if.c	Tue Sep 10 10:08:20 2013	(r255444)
+++ stable/8/sys/net/if.c	Tue Sep 10 10:12:09 2013	(r255445)
@@ -2603,11 +2603,23 @@ ifioctl(struct socket *so, u_long cmd, c
 		CURVNET_RESTORE();
 		return (EOPNOTSUPP);
 	}
+
+	/*
+	 * Pass the request on to the socket control method, and if the
+	 * latter returns EOPNOTSUPP, directly to the interface.
+	 *
+	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
+	 * trust SIOCSIFADDR et al to come from an already privileged
+	 * layer, and do not perform any credentials checks or input
+	 * validation.
+	 */
 #ifndef COMPAT_43
 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
 								 data,
 								 ifp, td));
-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
+	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
+	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 		error = (*ifp->if_ioctl)(ifp, cmd, data);
 #else
 	{
@@ -2651,7 +2663,9 @@ ifioctl(struct socket *so, u_long cmd, c
 								   data,
 								   ifp, td));
 		if (error == EOPNOTSUPP && ifp != NULL &&
-		    ifp->if_ioctl != NULL)
+		    ifp->if_ioctl != NULL &&
+		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 			error = (*ifp->if_ioctl)(ifp, cmd, data);
 		switch (ocmd) {
 

Modified: stable/8/sys/netinet6/in6.c
==============================================================================
--- stable/8/sys/netinet6/in6.c	Tue Sep 10 10:08:20 2013	(r255444)
+++ stable/8/sys/netinet6/in6.c	Tue Sep 10 10:12:09 2013	(r255445)
@@ -344,6 +344,18 @@ in6_control(struct socket *so, u_long cm
 	case SIOCGIFSTAT_ICMP6:
 		sa6 = &ifr->ifr_addr;
 		break;
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-INET6 ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
 	default:
 		sa6 = NULL;
 		break;

Modified: stable/8/sys/netnatm/natm.c
==============================================================================
--- stable/8/sys/netnatm/natm.c	Tue Sep 10 10:08:20 2013	(r255444)
+++ stable/8/sys/netnatm/natm.c	Tue Sep 10 10:12:09 2013	(r255445)
@@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_lo
 	npcb = (struct natmpcb *)so->so_pcb;
 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
 
+	switch (cmd) {
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-ATM ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
+	}
+
 	if (ifp == NULL || ifp->if_ioctl == NULL)
 		return (EOPNOTSUPP);
 	return ((*ifp->if_ioctl)(ifp, cmd, arg));