diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2013-09-10 10:08:20 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2013-09-10 10:08:20 +0000 |
| commit | e2630701b4342b36d0b5793620536bc5e9436d1b (patch) | |
| tree | 851eaec74cf7f7a94b8530d2d4c63186b0e98d64 | |
| parent | 44f4d2208a81af7cac163407e4be900512c04442 (diff) | |
| download | src-e2630701b4342b36d0b5793620536bc5e9436d1b.tar.gz src-e2630701b4342b36d0b5793620536bc5e9436d1b.zip | |
In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
and SIOCSIFNETMASK at the socket layer rather than pass them on to the
link layer without validation or credential checks. [SA-13:12]
Prevent cross-mount hardlinks between different nullfs mounts of the
same underlying filesystem. [SA-13:13]
Security: CVE-2013-5691
Security: FreeBSD-SA-13:12.ifioctl
Security: CVE-2013-5710
Security: FreeBSD-SA-13:13.nullfs
Approved by: re
Notes
Notes:
svn path=/releng/9.2/; revision=255444
| -rw-r--r-- | sys/conf/newvers.sh | 2 | ||||
| -rw-r--r-- | sys/fs/nullfs/null_vnops.c | 10 | ||||
| -rw-r--r-- | sys/net/if.c | 18 | ||||
| -rw-r--r-- | sys/netinet6/in6.c | 12 | ||||
| -rw-r--r-- | sys/netnatm/natm.c | 15 |
5 files changed, 54 insertions, 3 deletions
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 6a3cf4940563..944b73165027 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.2" -BRANCH="RC3" +BRANCH="RC3-p1" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/fs/nullfs/null_vnops.c b/sys/fs/nullfs/null_vnops.c index f57e3b24d2cd..fd7b8536f798 100644 --- a/sys/fs/nullfs/null_vnops.c +++ b/sys/fs/nullfs/null_vnops.c @@ -858,6 +858,15 @@ null_vptocnp(struct vop_vptocnp_args *ap) return (error); } +static int +null_link(struct vop_link_args *ap) +{ + + if (ap->a_tdvp->v_mount != ap->a_vp->v_mount) + return (EXDEV); + return (null_bypass((struct vop_generic_args *)ap)); +} + /* * Global vfs data structures */ @@ -871,6 +880,7 @@ struct vop_vector null_vnodeops = { .vop_getwritemount = null_getwritemount, .vop_inactive = null_inactive, .vop_islocked = vop_stdislocked, + .vop_link = null_link, .vop_lock1 = null_lock, .vop_lookup = null_lookup, .vop_open = null_open, diff --git a/sys/net/if.c b/sys/net/if.c index bcbbbe9d200a..922d7762e429 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -2555,11 +2555,23 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td) CURVNET_RESTORE(); return (EOPNOTSUPP); } + + /* + * Pass the request on to the socket control method, and if the + * latter returns EOPNOTSUPP, directly to the interface. + * + * Make an exception for the legacy SIOCSIF* requests. Drivers + * trust SIOCSIFADDR et al to come from an already privileged + * layer, and do not perform any credentials checks or input + * validation. + */ #ifndef COMPAT_43 error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd, data, ifp, td)); - if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL) + if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL && + cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && + cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) error = (*ifp->if_ioctl)(ifp, cmd, data); #else { @@ -2603,7 +2615,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td) data, ifp, td)); if (error == EOPNOTSUPP && ifp != NULL && - ifp->if_ioctl != NULL) + ifp->if_ioctl != NULL && + cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR && + cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK) error = (*ifp->if_ioctl)(ifp, cmd, data); switch (ocmd) { diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index 1d92c2f6c037..c662312b8583 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -422,6 +422,18 @@ in6_control(struct socket *so, u_long cmd, caddr_t data, case SIOCGIFSTAT_ICMP6: sa6 = &ifr->ifr_addr; break; + case SIOCSIFADDR: + case SIOCSIFBRDADDR: + case SIOCSIFDSTADDR: + case SIOCSIFNETMASK: + /* + * Although we should pass any non-INET6 ioctl requests + * down to driver, we filter some legacy INET requests. + * Drivers trust SIOCSIFADDR et al to come from an already + * privileged layer, and do not perform any credentials + * checks or input validation. + */ + return (EINVAL); default: sa6 = NULL; break; diff --git a/sys/netnatm/natm.c b/sys/netnatm/natm.c index cfcbaa786c73..c7bebc2bb0a8 100644 --- a/sys/netnatm/natm.c +++ b/sys/netnatm/natm.c @@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_long cmd, caddr_t arg, npcb = (struct natmpcb *)so->so_pcb; KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL")); + switch (cmd) { + case SIOCSIFADDR: + case SIOCSIFBRDADDR: + case SIOCSIFDSTADDR: + case SIOCSIFNETMASK: + /* + * Although we should pass any non-ATM ioctl requests + * down to driver, we filter some legacy INET requests. + * Drivers trust SIOCSIFADDR et al to come from an already + * privileged layer, and do not perform any credentials + * checks or input validation. + */ + return (EINVAL); + } + if (ifp == NULL || ifp->if_ioctl == NULL) return (EOPNOTSUPP); return ((*ifp->if_ioctl)(ifp, cmd, arg)); |