[Bug 223767] tun device allows modification of if_type to any value causing a page fault and panic
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Nov 20 13:50:49 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223767
Bug ID: 223767
Summary: tun device allows modification of if_type to any value
causing a page fault and panic
Product: Base System
Version: 10.4-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: jau at iki.fi
Created attachment 188137
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=188137&action=edit
A patch to check that if_type will be set only to a supported value. For the
time being there is only one such value IFT_PPP.
The tun device allows setting if_type to any random value, though, it does
not reserve appropriate memory structures for anything else but IFT_PPP.
When the it_type field gets modified the system later on reasonably assumes
the appropriate data structures must be there as well. The lack of suitable
data structures will result in pretty much any operation on the device causing
a certain panic() with a complaint about "a page fault in kernel mode".
In case root allows others to open /dev/tun# (chmod g+rw /dev/tun#)
this might become a locally triggered DoS allowing some local users to
panic the system at will. They only need to set if_type to e.g. IFT_ETHER
and let the program exit. During the post exit cleanup the system will
try to close the file descriptor bound to the device which will trip the
kernel to accessing on-existent Ethernet related data structures causing
"a page fault in kernel mode".
Apply the attached patch to add a check that the if_type field will be set
only to a supported value. For the time being there is only one such value
IFT_PPP.
In addition to adding a check for the new if_type value the attached patch
also simplifies the check for readable data in the tunpoll() function.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list