From nobody Sun Mar 20 09:02:53 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id AFBCF1A28E22; Sun, 20 Mar 2022 09:02:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KLsGP4Tkkz3G61; Sun, 20 Mar 2022 09:02:53 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647766973; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jGxtrWlwlEKrh3Arh3DV03QVSBhZLVhlHiRqFl8EAMQ=; b=VLj7nQWlvVyiGKkQmhP3G64kfJC+6MoTwKmj4MIG9kjynAlKOUmWXMPlEsr46rmBUninhO B9MkERWc1SGKq5UOHBPnoz1vgzVMyurEXtJLBuQurxVquvcJcP0H/tosWi3DXhrgM5qKg5 oDPHmIGmzWaiQ1bOZUJ0+f0PAteUvSDv2BTx94n7KW5kMMN9DlzGQB27lZCFIqw3SMkrgb NGyw65+12Dg8xy3tolJx08qgoaMxoNOijqn5fXYSvUpa1J96lw6574q7gg6lKfPd8go3pT yP5a8HZIA69JX4PO2gcEVu9i+z2jYoOMiyA3IVV4ccis752fHreTQFY/G/xdAg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 79B0A24781; Sun, 20 Mar 2022 09:02:53 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22K92rVI028682; Sun, 20 Mar 2022 09:02:53 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22K92rDn028681; Sun, 20 Mar 2022 09:02:53 GMT (envelope-from git) Date: Sun, 20 Mar 2022 09:02:53 GMT Message-Id: <202203200902.22K92rDn028681@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Vincenzo Maffione Subject: git: 606f528decc3 - stable/11 - netmap: Fix integer overflow in nmreq_copyin List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: vmaffione X-Git-Repository: src X-Git-Refname: refs/heads/stable/11 X-Git-Reftype: branch X-Git-Commit: 606f528decc334d9a56ef760b0815c6d56060dbe Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647766973; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=jGxtrWlwlEKrh3Arh3DV03QVSBhZLVhlHiRqFl8EAMQ=; b=TI+sh8IW73fcNyMI3/dVmaova1oB1B6yvXpju8tgk54wgUo4VDifTxZDHgVusduiyk+kYS f26jmBMV97+3jXcGUqo+7ebzlYe26KGefPyfTiAHoncCbJ8iuci03iUnWh7OWzf1zumcXk mbxzQpU0T3yRutIcIczDnEaMjallfJnO9RXsK2rJ9BW4ylLBKy0NggJOv+ZE0F5nFzizaa +trwExL29h3x4imO1+JTezEyaBXCDE4OPuLp51ljfIJC0jmN7dfGLSlcmxYCLfVAqPvr1B HFy7Un3gRu3Fs+BNrQCb+8xUjn67C2QuGq05tRHVCnMrnN6WVUM51mKXm5VOzw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647766973; a=rsa-sha256; cv=none; b=Uw6/fj+PrN6EZxzBiA+KDO/UlY0Dm3WvMQZDG5S0Un34a9rsgkxHaALB1VmoPVl/Vj7nV4 AeA39Gq5gR2ZVG/DK0nxSq5kqOCM7vz3657Q5KbV/j+ASm7bPvuYLiVc0G/txZbDyA5fZn AqoHbFQrfYcsuqjWQtJzOp+ZM5Tdnd+reFYov11jfgJ4ZPyqltYiM3AbDUuOQV/8goEOkn 5oYjK4KDG3NWKwcXoPYStI8ny4g0Ia2a/f3rfKOgIHaE06AtFxga7061rPZ5fOImzyRDMc VKjvecVMWhRTzamB3rGWWoAPQBTCi53tqcL4j7A6O4e6B1wEhpB3dyH8Z7cCbQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/11 has been updated by vmaffione: URL: https://cgit.FreeBSD.org/src/commit/?id=606f528decc334d9a56ef760b0815c6d56060dbe commit 606f528decc334d9a56ef760b0815c6d56060dbe Author: Vincenzo Maffione AuthorDate: 2022-03-16 06:57:54 +0000 Commit: Vincenzo Maffione CommitDate: 2022-03-20 09:01:58 +0000 netmap: Fix integer overflow in nmreq_copyin An unsanitized field in an option could be abused, causing an integer overflow followed by kernel memory corruption. This might be used to escape jails/containers. Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23085 (cherry picked from commit 694ea59c7021c25417e6d516362d2f59b4e2c343) --- sys/dev/netmap/netmap.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index 420287516aa6..0c060219ff23 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -2987,8 +2987,8 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size) int nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) { - size_t rqsz, optsz, bufsz; - int error; + size_t rqsz, optsz, bufsz, optbodysz; + int error = 0; char *ker = NULL, *p; struct nmreq_option **next, *src; struct nmreq_option buf; @@ -3029,8 +3029,18 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) error = copyin(src, &buf, sizeof(*src)); if (error) goto out_err; + /* Validate nro_size to avoid integer overflow of optsz and bufsz. */ + if (buf.nro_size > NETMAP_REQ_MAXSIZE) { + error = EMSGSIZE; + goto out_err; + } optsz += sizeof(*src); - optsz += nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); + optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); + if (optbodysz > NETMAP_REQ_MAXSIZE) { + error = EMSGSIZE; + goto out_err; + } + optsz += optbodysz; if (rqsz + optsz > NETMAP_REQ_MAXSIZE) { error = EMSGSIZE; goto out_err;