Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Dec 2017 15:26:57 +0000 (UTC)
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r326692 - in stable/10: share/man/man4 sys/net
Message-ID:  <201712081526.vB8FQvTt080068@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: hselasky
Date: Fri Dec  8 15:26:57 2017
New Revision: 326692
URL: https://svnweb.freebsd.org/changeset/base/326692

Log:
  MFC r326362:
  Disallow TUN and TAP character device IOCTLs to modify the network device
  type to any value. This can cause page faults and panics due to accessing
  uninitialized fields in the "struct ifnet" which are specific to the network
  device type.
  
  Found by:	jau@iki.fi
  PR:		223767
  Sponsored by:	Mellanox Technologies

Modified:
  stable/10/share/man/man4/tap.4
  stable/10/share/man/man4/tun.4
  stable/10/sys/net/if_tap.c
  stable/10/sys/net/if_tun.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/share/man/man4/tap.4
==============================================================================
--- stable/10/share/man/man4/tap.4	Fri Dec  8 15:23:17 2017	(r326691)
+++ stable/10/share/man/man4/tap.4	Fri Dec  8 15:26:57 2017	(r326692)
@@ -1,7 +1,7 @@
 .\" $FreeBSD$
 .\" Based on PR#2411
 .\"
-.Dd November 30, 2014
+.Dd November 29, 2017
 .Dt TAP 4
 .Os
 .Sh NAME
@@ -171,7 +171,14 @@ calls are supported
 .In net/if_tap.h ) :
 .Bl -tag -width VMIO_SIOCSETMACADDR
 .It Dv TAPSIFINFO
-Set network interface information (line speed, MTU and type).
+Set network interface information (line speed and MTU).
+The type must be the same as returned by
+.Dv TAPGIFINFO
+or set to
+.Dv IFT_ETHER
+else the
+.Xr ioctl 2
+call will fail.
 The argument should be a pointer to a
 .Va struct tapinfo .
 .It Dv TAPGIFINFO

Modified: stable/10/share/man/man4/tun.4
==============================================================================
--- stable/10/share/man/man4/tun.4	Fri Dec  8 15:23:17 2017	(r326691)
+++ stable/10/share/man/man4/tun.4	Fri Dec  8 15:26:57 2017	(r326692)
@@ -2,7 +2,7 @@
 .\" $FreeBSD$
 .\" Based on PR#2411
 .\"
-.Dd November 30, 2014
+.Dd November 29, 2017
 .Dt TUN 4
 .Os
 .Sh NAME
@@ -208,8 +208,15 @@ this stores the internal debugging variable's value in
 .It Dv TUNSIFINFO
 The argument should be a pointer to an
 .Vt struct tuninfo
-and allows setting the MTU, the type, and the baudrate of the tunnel
+and allows setting the MTU and the baudrate of the tunnel
 device.
+The type must be the same as returned by
+.Dv TUNGIFINFO
+or set to
+.Dv IFT_PPP
+else the
+.Xr ioctl 2
+call will fail.
 The
 .Vt struct tuninfo
 is declared in

Modified: stable/10/sys/net/if_tap.c
==============================================================================
--- stable/10/sys/net/if_tap.c	Fri Dec  8 15:23:17 2017	(r326691)
+++ stable/10/sys/net/if_tap.c	Fri Dec  8 15:26:57 2017	(r326692)
@@ -736,9 +736,10 @@ tapioctl(struct cdev *dev, u_long cmd, caddr_t data, i
 	switch (cmd) {
 		case TAPSIFINFO:
 			tapp = (struct tapinfo *)data;
+			if (ifp->if_type != tapp->type)
+				return (EPROTOTYPE);
 			mtx_lock(&tp->tap_mtx);
 			ifp->if_mtu = tapp->mtu;
-			ifp->if_type = tapp->type;
 			ifp->if_baudrate = tapp->baudrate;
 			mtx_unlock(&tp->tap_mtx);
 			break;

Modified: stable/10/sys/net/if_tun.c
==============================================================================
--- stable/10/sys/net/if_tun.c	Fri Dec  8 15:23:17 2017	(r326691)
+++ stable/10/sys/net/if_tun.c	Fri Dec  8 15:26:57 2017	(r326692)
@@ -677,9 +677,10 @@ tunioctl(struct cdev *dev, u_long cmd, caddr_t data, i
 			if (error)
 				return (error);
 		}
+		if (TUN2IFP(tp)->if_type != tunp->type)
+			return (EPROTOTYPE);
 		mtx_lock(&tp->tun_mtx);
 		TUN2IFP(tp)->if_mtu = tunp->mtu;
-		TUN2IFP(tp)->if_type = tunp->type;
 		TUN2IFP(tp)->if_baudrate = tunp->baudrate;
 		mtx_unlock(&tp->tun_mtx);
 		break;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712081526.vB8FQvTt080068>