Date: Mon, 20 Nov 2017 13:50:49 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 223767] tun device allows modification of if_type to any value causing a page fault and panic Message-ID: <bug-223767-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223767 Bug ID: 223767 Summary: tun device allows modification of if_type to any value causing a page fault and panic Product: Base System Version: 10.4-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: jau@iki.fi Created attachment 188137 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D188137&action= =3Dedit A patch to check that if_type will be set only to a supported value. For the time being there is only one such value IFT_PPP. The tun device allows setting if_type to any random value, though, it does not reserve appropriate memory structures for anything else but IFT_PPP. When the it_type field gets modified the system later on reasonably assumes the appropriate data structures must be there as well. The lack of suitable data structures will result in pretty much any operation on the device caus= ing a certain panic() with a complaint about "a page fault in kernel mode". In case root allows others to open /dev/tun# (chmod g+rw /dev/tun#) this might become a locally triggered DoS allowing some local users to panic the system at will. They only need to set if_type to e.g. IFT_ETHER and let the program exit. During the post exit cleanup the system will try to close the file descriptor bound to the device which will trip the kernel to accessing on-existent Ethernet related data structures causing "a page fault in kernel mode". Apply the attached patch to add a check that the if_type field will be set only to a supported value. For the time being there is only one such value IFT_PPP. In addition to adding a check for the new if_type value the attached patch also simplifies the check for readable data in the tunpoll() function. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-223767-8>