[Bug 223767] tun device allows modification of if_type to any value causing a page fault and panic

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Nov 20 13:50:49 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223767

            Bug ID: 223767
           Summary: tun device allows modification of if_type to any value
                    causing a page fault and panic
           Product: Base System
           Version: 10.4-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: jau at iki.fi

Created attachment 188137
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=188137&action=edit
A patch to check that if_type will be set only to a supported value. For the
time being there is only one such value IFT_PPP.

The tun device allows setting if_type to any random value, though, it does
not reserve appropriate memory structures for anything else but IFT_PPP.
When the it_type field gets modified the system later on reasonably assumes
the appropriate data structures must be there as well. The lack of suitable
data structures will result in pretty much any operation on the device causing
a certain panic() with a complaint about "a page fault in kernel mode".

In case root allows others to open /dev/tun# (chmod g+rw /dev/tun#)
this might become a locally triggered DoS allowing some local users to
panic the system at will. They only need to set if_type to e.g. IFT_ETHER
and let the program exit. During the post exit cleanup the system will
try to close the file descriptor bound to the device which will trip the
kernel to accessing on-existent Ethernet related data structures causing
"a page fault in kernel mode".

Apply the attached patch to add a check that the if_type field will be set
only to a supported value. For the time being there is only one such value
IFT_PPP.

In addition to adding a check for the new if_type value the attached patch
also simplifies the check for readable data in the tunpoll() function.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list