From nobody Wed Apr 6 03:04:12 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7B8501A844BC; Wed, 6 Apr 2022 03:04:13 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KY8Vj0Jwzz4dSg; Wed, 6 Apr 2022 03:04:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Oqe/aRFRc1SG7rsHbhylp5UkPJIeSagobXYt7Q4IfAA=; b=xZQisYRLEqCVbkDPn7oMrIWAUXj4r2gRYGFhKIYAb+/pxaTkENiTNMmSC67deOGTz+30oo aNjktlYCngUoffLO4wM84FYLV+vqeZ+6qCQt3rJF/k89hE5+AoQV2WrrytJOK6M22duayv BiIt2U8NWW5/Gs3ckk7gt3aO7U1jI9mWS//aeCCe0UeTLvL8OCCj3goqtqkjeEOvi9+MO1 Nct0kQ/HEsfNfFBLiLVn3TqsO9W6MlCypOv4Rw64kvDvj3sxM9ffv5nViSmOl+wmvvPZAu 7lJQ/HVsxVSkg8LgSrF2lA43vMvbm/uOc9EsrJGA28rPPZC3xizlrR+I1EqCpQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C1AE6133B4; Wed, 6 Apr 2022 03:04:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23634Cp0034712; Wed, 6 Apr 2022 03:04:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23634CUm034711; Wed, 6 Apr 2022 03:04:12 GMT (envelope-from git) Date: Wed, 6 Apr 2022 03:04:12 GMT Message-Id: <202204060304.23634CUm034711@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 00ca345e83ad - releng/13.0 - netmap: Fix integer overflow in nmreq_copyin List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.0 X-Git-Reftype: branch X-Git-Commit: 00ca345e83ada8b68e302f5406f9799209872c90 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1649214253; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Oqe/aRFRc1SG7rsHbhylp5UkPJIeSagobXYt7Q4IfAA=; b=leaRNzTC29vYZuN7dKTFVSJV5zvX+oo+lfVn2K3YQkoSHRCbMk2TezsORbI6Ypx5XmSJZs KzIcOmUYmCqzscn2NK1zGoRXwrgJcy6Qy8B8asBtDnq0kcbxHEgzz9/t6YLd3ouj/PoJkS mNFT7mwdiL0l1TcNV853DBUbBP7LZLgsPxUxlcrFneaGPRp4w5Sjirv5xw9fMtCCxlbxg/ SV/LF1oU8kXJkMOK7eOOdSp4rNxZ85/FTn/CYooLNJoiFb8WimlLWbPNTS89xeX09X49St kD1+5HgUWD9vku/Kygdw8M5X52LkXsBHhsqOlN3QuEVgkOgnMZ1YjUtWdj80BA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1649214253; a=rsa-sha256; cv=none; b=JXCu931FxUWughk1OWD6n72/24dgjrToxAuj0Klsn0PbybQF7pk7DTYYOeC4u3ZcKnfaZD TzMSbqQkeoH036oWmkVhRqTUqBrbvr6/IV4PSF9z+BZxuUToSit3qQuHC8cH5N/vYjX+ZD y0weV3XaYSRPiI+4e2sobFb8uiPyCH7OYOf4jloe3aju9DXo6KQWxFEEYvvbujU2i+RjMR N5KyW9/Lz84OuN+Gm/HEwUzDLXCzxT+STg1wyKuJjHweGASi7bZY0WzhuSfTVbsC+0ArJa fVqbyUiQpm1o+RbRbFcY06tbX7gmhrzT5B9hqdVq0gb9LBgpYFDHycile2z5tQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/13.0 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=00ca345e83ada8b68e302f5406f9799209872c90 commit 00ca345e83ada8b68e302f5406f9799209872c90 Author: Vincenzo Maffione AuthorDate: 2022-04-05 23:26:02 +0000 Commit: Ed Maste CommitDate: 2022-04-05 23:26:02 +0000 netmap: Fix integer overflow in nmreq_copyin An unsanitized field in an option could be abused, causing an integer overflow followed by kernel memory corruption. This might be used to escape jails/containers. Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23085 (cherry picked from commit 694ea59c7021c25417e6d516362d2f59b4e2c343) (cherry picked from commit 9df8dd3ea36c8b3abe8fc182647472ca9cd83efd) Approved by: so Security: FreeBSD-SA-22:04.netmap --- sys/dev/netmap/netmap.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index 0bc723f6963d..c635c3d66314 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -3096,7 +3096,7 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size) int nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) { - size_t rqsz, optsz, bufsz; + size_t rqsz, optsz, bufsz, optbodysz; int error = 0; char *ker = NULL, *p; struct nmreq_option **next, *src, **opt_tab; @@ -3144,8 +3144,18 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) error = copyin(src, &buf, sizeof(*src)); if (error) goto out_err; + /* Validate nro_size to avoid integer overflow of optsz and bufsz. */ + if (buf.nro_size > NETMAP_REQ_MAXSIZE) { + error = EMSGSIZE; + goto out_err; + } optsz += sizeof(*src); - optsz += nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); + optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); + if (optbodysz > NETMAP_REQ_MAXSIZE) { + error = EMSGSIZE; + goto out_err; + } + optsz += optbodysz; if (rqsz + optsz > NETMAP_REQ_MAXSIZE) { error = EMSGSIZE; goto out_err;