Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Sep 2018 18:50:10 +0000 (UTC)
From:      Gordon Tetlow <gordon@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r338986 - in stable/11/sys: netinet netinet6
Message-ID:  <201809271850.w8RIoAwP079908@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: gordon
Date: Thu Sep 27 18:50:10 2018
New Revision: 338986
URL: https://svnweb.freebsd.org/changeset/base/338986

Log:
  There are various cases where we modify the inp_vflag and inp_inc.inc_flags
  fields during a syscall, but don't restore those fields if the operation
  fails.  This can leave the inp structure in an inconsistent state and cause
  various problems.
  
  Restore the inp_vflag and inp_inc.inc_flags fields when the underlying
  operation fails and the inp could be in an inconsistent state.
  
  This is a direct commit to the branch as the code is different enough in
  the other branches to make it difficult to resolve a merge.
  
  Submitted by:   jtl@
  Reported by:    Jakub Jirasek, Secunia Research at Flexera
  Reviewed by:    jhb@
  Approved by:    so
  Security:       FreeBSD-EN-18:11.listen
  Security:       CVE-2018-6925

Modified:
  stable/11/sys/netinet/tcp_usrreq.c
  stable/11/sys/netinet6/sctp6_usrreq.c
  stable/11/sys/netinet6/udp6_usrreq.c

Modified: stable/11/sys/netinet/tcp_usrreq.c
==============================================================================
--- stable/11/sys/netinet/tcp_usrreq.c	Thu Sep 27 18:48:50 2018	(r338985)
+++ stable/11/sys/netinet/tcp_usrreq.c	Thu Sep 27 18:50:10 2018	(r338986)
@@ -339,6 +339,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam,
 	struct inpcb *inp;
 	struct tcpcb *tp = NULL;
 	struct sockaddr_in6 *sin6p;
+	u_char vflagsav;
 
 	sin6p = (struct sockaddr_in6 *)nam;
 	if (nam->sa_len != sizeof (*sin6p))
@@ -355,6 +356,7 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam,
 	inp = sotoinpcb(so);
 	KASSERT(inp != NULL, ("tcp6_usr_bind: inp == NULL"));
 	INP_WLOCK(inp);
+	vflagsav = inp->inp_vflag;
 	if (inp->inp_flags & (INP_TIMEWAIT | INP_DROPPED)) {
 		error = EINVAL;
 		goto out;
@@ -384,6 +386,8 @@ tcp6_usr_bind(struct socket *so, struct sockaddr *nam,
 	error = in6_pcbbind(inp, nam, td->td_ucred);
 	INP_HASH_WUNLOCK(&V_tcbinfo);
 out:
+	if (error != 0)
+		inp->inp_vflag = vflagsav;
 	TCPDEBUG2(PRU_BIND);
 	TCP_PROBE2(debug__user, tp, PRU_BIND);
 	INP_WUNLOCK(inp);
@@ -447,6 +451,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct
 	int error = 0;
 	struct inpcb *inp;
 	struct tcpcb *tp = NULL;
+	u_char vflagsav;
 
 	TCPDEBUG0;
 	inp = sotoinpcb(so);
@@ -456,6 +461,7 @@ tcp6_usr_listen(struct socket *so, int backlog, struct
 		error = EINVAL;
 		goto out;
 	}
+	vflagsav = inp->inp_vflag;
 	tp = intotcpcb(inp);
 	TCPDEBUG1();
 	SOCK_LOCK(so);
@@ -482,6 +488,9 @@ tcp6_usr_listen(struct socket *so, int backlog, struct
 	if (tp->t_flags & TF_FASTOPEN)
 		tp->t_tfo_pending = tcp_fastopen_alloc_counter();
 #endif
+	if (error != 0)
+		inp->inp_vflag = vflagsav;
+
 out:
 	TCPDEBUG2(PRU_LISTEN);
 	TCP_PROBE2(debug__user, tp, PRU_LISTEN);
@@ -558,6 +567,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n
 	struct inpcb *inp;
 	struct tcpcb *tp = NULL;
 	struct sockaddr_in6 *sin6p;
+	u_int8_t incflagsav;
+	u_char vflagsav;
 
 	TCPDEBUG0;
 
@@ -574,6 +585,8 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n
 	inp = sotoinpcb(so);
 	KASSERT(inp != NULL, ("tcp6_usr_connect: inp == NULL"));
 	INP_WLOCK(inp);
+	vflagsav = inp->inp_vflag;
+	incflagsav = inp->inp_inc.inc_flags;
 	if (inp->inp_flags & INP_TIMEWAIT) {
 		error = EADDRINUSE;
 		goto out;
@@ -603,11 +616,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n
 		}
 
 		in6_sin6_2_sin(&sin, sin6p);
-		inp->inp_vflag |= INP_IPV4;
-		inp->inp_vflag &= ~INP_IPV6;
 		if ((error = prison_remote_ip4(td->td_ucred,
 		    &sin.sin_addr)) != 0)
 			goto out;
+		inp->inp_vflag |= INP_IPV4;
+		inp->inp_vflag &= ~INP_IPV6;
 		if ((error = tcp_connect(tp, (struct sockaddr *)&sin, td)) != 0)
 			goto out;
 #ifdef TCP_OFFLOAD
@@ -625,11 +638,11 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n
 		}
 	}
 #endif
+	if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
+		goto out;
 	inp->inp_vflag &= ~INP_IPV4;
 	inp->inp_vflag |= INP_IPV6;
 	inp->inp_inc.inc_flags |= INC_ISIPV6;
-	if ((error = prison_remote_ip6(td->td_ucred, &sin6p->sin6_addr)) != 0)
-		goto out;
 	if ((error = tcp6_connect(tp, nam, td)) != 0)
 		goto out;
 #ifdef TCP_OFFLOAD
@@ -642,6 +655,15 @@ tcp6_usr_connect(struct socket *so, struct sockaddr *n
 	error = tp->t_fb->tfb_tcp_output(tp);
 
 out:
+	/*
+	 * If the implicit bind in the connect call fails, restore
+	 * the flags we modified.
+	 */
+	if (error != 0 && inp->inp_lport == 0) {
+		inp->inp_vflag = vflagsav;
+		inp->inp_inc.inc_flags = incflagsav;
+	}
+
 	TCPDEBUG2(PRU_CONNECT);
 	TCP_PROBE2(debug__user, tp, PRU_CONNECT);
 	INP_WUNLOCK(inp);

Modified: stable/11/sys/netinet6/sctp6_usrreq.c
==============================================================================
--- stable/11/sys/netinet6/sctp6_usrreq.c	Thu Sep 27 18:48:50 2018	(r338985)
+++ stable/11/sys/netinet6/sctp6_usrreq.c	Thu Sep 27 18:50:10 2018	(r338986)
@@ -557,6 +557,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s
 	struct sctp_inpcb *inp;
 	struct in6pcb *inp6;
 	int error;
+	u_char vflagsav;
 
 	inp = (struct sctp_inpcb *)so->so_pcb;
 	if (inp == NULL) {
@@ -587,6 +588,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s
 		}
 	}
 	inp6 = (struct in6pcb *)inp;
+	vflagsav = inp6->inp_vflag;
 	inp6->inp_vflag &= ~INP_IPV4;
 	inp6->inp_vflag |= INP_IPV6;
 	if ((addr != NULL) && (SCTP_IPV6_V6ONLY(inp6) == 0)) {
@@ -616,7 +618,7 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s
 					inp6->inp_vflag |= INP_IPV4;
 					inp6->inp_vflag &= ~INP_IPV6;
 					error = sctp_inpcb_bind(so, (struct sockaddr *)&sin, NULL, p);
-					return (error);
+					goto out;
 				}
 #endif
 				break;
@@ -633,7 +635,8 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s
 		if (addr->sa_family == AF_INET) {
 			/* can't bind v4 addr to v6 only socket! */
 			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
-			return (EINVAL);
+			error = EINVAL;
+			goto out;
 		}
 #endif
 		sin6_p = (struct sockaddr_in6 *)addr;
@@ -642,10 +645,14 @@ sctp6_bind(struct socket *so, struct sockaddr *addr, s
 			/* can't bind v4-mapped addrs either! */
 			/* NOTE: we don't support SIIT */
 			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP6_USRREQ, EINVAL);
-			return (EINVAL);
+			error = EINVAL;
+			goto out;
 		}
 	}
 	error = sctp_inpcb_bind(so, addr, NULL, p);
+out:
+	if (error != 0)
+		inp6->inp_vflag = vflagsav;
 	return (error);
 }
 

Modified: stable/11/sys/netinet6/udp6_usrreq.c
==============================================================================
--- stable/11/sys/netinet6/udp6_usrreq.c	Thu Sep 27 18:48:50 2018	(r338985)
+++ stable/11/sys/netinet6/udp6_usrreq.c	Thu Sep 27 18:50:10 2018	(r338986)
@@ -1002,6 +1002,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str
 	struct inpcb *inp;
 	struct inpcbinfo *pcbinfo;
 	int error;
+	u_char vflagsav;
 
 	pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol);
 	inp = sotoinpcb(so);
@@ -1009,6 +1010,7 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str
 
 	INP_WLOCK(inp);
 	INP_HASH_WLOCK(pcbinfo);
+	vflagsav = inp->inp_vflag;
 	inp->inp_vflag &= ~INP_IPV4;
 	inp->inp_vflag |= INP_IPV6;
 	if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) {
@@ -1036,6 +1038,8 @@ udp6_bind(struct socket *so, struct sockaddr *nam, str
 #ifdef INET
 out:
 #endif
+	if (error != 0)
+		inp->inp_vflag = vflagsav;
 	INP_HASH_WUNLOCK(pcbinfo);
 	INP_WUNLOCK(inp);
 	return (error);
@@ -1082,6 +1086,7 @@ udp6_connect(struct socket *so, struct sockaddr *nam, 
 	struct inpcbinfo *pcbinfo;
 	struct sockaddr_in6 *sin6;
 	int error;
+	u_char vflagsav;
 
 	pcbinfo = udp_get_inpcbinfo(so->so_proto->pr_protocol);
 	inp = sotoinpcb(so);
@@ -1109,17 +1114,26 @@ udp6_connect(struct socket *so, struct sockaddr *nam, 
 			goto out;
 		}
 		in6_sin6_2_sin(&sin, sin6);
-		inp->inp_vflag |= INP_IPV4;
-		inp->inp_vflag &= ~INP_IPV6;
 		error = prison_remote_ip4(td->td_ucred, &sin.sin_addr);
 		if (error != 0)
 			goto out;
+		vflagsav = inp->inp_vflag;
+		inp->inp_vflag |= INP_IPV4;
+		inp->inp_vflag &= ~INP_IPV6;
 		INP_HASH_WLOCK(pcbinfo);
 		error = in_pcbconnect(inp, (struct sockaddr *)&sin,
 		    td->td_ucred);
 		INP_HASH_WUNLOCK(pcbinfo);
+		/*
+		 * If connect succeeds, mark socket as connected. If
+		 * connect fails and socket is unbound, reset inp_vflag
+		 * field.
+		 */
 		if (error == 0)
 			soisconnected(so);
+		else if (inp->inp_laddr.s_addr == INADDR_ANY &&
+		    inp->inp_lport == 0)
+			inp->inp_vflag = vflagsav;
 		goto out;
 	} else {
 		if ((inp->inp_vflag & INP_IPV6) == 0) {
@@ -1132,16 +1146,25 @@ udp6_connect(struct socket *so, struct sockaddr *nam, 
 		error = EISCONN;
 		goto out;
 	}
-	inp->inp_vflag &= ~INP_IPV4;
-	inp->inp_vflag |= INP_IPV6;
 	error = prison_remote_ip6(td->td_ucred, &sin6->sin6_addr);
 	if (error != 0)
 		goto out;
+	vflagsav = inp->inp_vflag;
+	inp->inp_vflag &= ~INP_IPV4;
+	inp->inp_vflag |= INP_IPV6;
 	INP_HASH_WLOCK(pcbinfo);
 	error = in6_pcbconnect(inp, nam, td->td_ucred);
 	INP_HASH_WUNLOCK(pcbinfo);
+	/*
+	 * If connect succeeds, mark socket as connected. If
+	 * connect fails and socket is unbound, reset inp_vflag
+	 * field.
+	 */
 	if (error == 0)
 		soisconnected(so);
+	else if (IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_laddr) &&
+	    inp->inp_lport == 0)
+		inp->inp_vflag = vflagsav;
 out:
 	INP_WUNLOCK(inp);
 	return (error);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809271850.w8RIoAwP079908>