svn commit: r326362 - in head: share/man/man4 sys/net

Hartmann, O. ohartmann at walstatt.org
Wed Nov 29 10:51:46 UTC 2017 

On Wed, 29 Nov 2017 09:40:11 +0000 (UTC)
Hans Petter Selasky <hselasky at FreeBSD.org> wrote:

> Author: hselasky
> Date: Wed Nov 29 09:40:11 2017
> New Revision: 326362
> URL: https://svnweb.freebsd.org/changeset/base/326362
> 
> Log:
>   Disallow TUN and TAP character device IOCTLs to modify the network
> device type to any value. This can cause page faults and panics due
> to accessing uninitialized fields in the "struct ifnet" which are
> specific to the network device type.
>   
>   MFC after:	1 week
>   Found by:	jau at iki.fi
>   PR:		223767
>   Sponsored by:	Mellanox Technologies
> 
> Modified:
>   head/share/man/man4/tap.4
>   head/share/man/man4/tun.4
>   head/sys/net/if_tap.c
>   head/sys/net/if_tun.c
> 
> Modified: head/share/man/man4/tap.4
> ==============================================================================
> --- head/share/man/man4/tap.4	Wed Nov 29 09:18:24 2017
> (r326361) +++ head/share/man/man4/tap.4	Wed Nov 29 09:40:11
> 2017	(r326362) @@ -1,7 +1,7 @@
>  .\" $FreeBSD$
>  .\" Based on PR#2411
>  .\"
> -.Dd April 10, 2015
> +.Dd November 29, 2017
>  .Dt TAP 4
>  .Os
>  .Sh NAME
> @@ -171,7 +171,14 @@ calls are supported
>  .In net/if_tap.h ) :
>  .Bl -tag -width VMIO_SIOCSETMACADDR
>  .It Dv TAPSIFINFO
> -Set network interface information (line speed, MTU and type).
> +Set network interface information (line speed and MTU).
> +The type must be the same as returned by
> +.Dv TAPGIFINFO
> +or set to
> +.Dv IFT_ETHER
> +else the
> +.Xr ioctl 2
> +call will fail.
>  The argument should be a pointer to a
>  .Va struct tapinfo .
>  .It Dv TAPGIFINFO
> 
> Modified: head/share/man/man4/tun.4
> ==============================================================================
> --- head/share/man/man4/tun.4	Wed Nov 29 09:18:24 2017
> (r326361) +++ head/share/man/man4/tun.4	Wed Nov 29 09:40:11
> 2017	(r326362) @@ -2,7 +2,7 @@
>  .\" $FreeBSD$
>  .\" Based on PR#2411
>  .\"
> -.Dd November 30, 2014
> +.Dd November 29, 2017
>  .Dt TUN 4
>  .Os
>  .Sh NAME
> @@ -208,8 +208,15 @@ this stores the internal debugging variable's
> value in .It Dv TUNSIFINFO
>  The argument should be a pointer to an
>  .Vt struct tuninfo
> -and allows setting the MTU, the type, and the baudrate of the tunnel
> +and allows setting the MTU and the baudrate of the tunnel
>  device.
> +The type must be the same as returned by
> +.Dv TUNGIFINFO
> +or set to
> +.Dv IFT_PPP
> +else the
> +.Xr ioctl 2
> +call will fail.
>  The
>  .Vt struct tuninfo
>  is declared in
> 
> Modified: head/sys/net/if_tap.c
> ==============================================================================
> --- head/sys/net/if_tap.c	Wed Nov 29 09:18:24 2017
> (r326361) +++ head/sys/net/if_tap.c	Wed Nov 29 09:40:11
> 2017	(r326362) @@ -737,9 +737,10 @@ tapioctl(struct cdev *dev,
> u_long cmd, caddr_t data, i switch (cmd) {
>  		case TAPSIFINFO:
>  			tapp = (struct tapinfo *)data;
> +			if (ifp->if_type != tapp->type)
> +				return (EPROTOTYPE);
>  			mtx_lock(&tp->tap_mtx);
>  			ifp->if_mtu = tapp->mtu;
> -			ifp->if_type = tapp->type;
>  			ifp->if_baudrate = tapp->baudrate;
>  			mtx_unlock(&tp->tap_mtx);
>  			break;
> 
> Modified: head/sys/net/if_tun.c
> ==============================================================================
> --- head/sys/net/if_tun.c	Wed Nov 29 09:18:24 2017
> (r326361) +++ head/sys/net/if_tun.c	Wed Nov 29 09:40:11
> 2017	(r326362) @@ -676,9 +676,10 @@ tunioctl(struct cdev *dev,
> u_long cmd, caddr_t data, i if (error)
>  				return (error);
>  		}
> +		if (TUN2IFP(tp)->if_type != tunp->type)
> +			return (EPROTOTYPE);
>  		mtx_lock(&tp->tun_mtx);
>  		TUN2IFP(tp)->if_mtu = tunp->mtu;
> -		TUN2IFP(tp)->if_type = tunp->type;
>  		TUN2IFP(tp)->if_baudrate = tunp->baudrate;
>  		mtx_unlock(&tp->tun_mtx);
>  		break;
> _______________________________________________
> svn-src-head at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-head
> To unsubscribe, send any mail to
> "svn-src-head-unsubscribe at freebsd.org"

after updating from r325893 to r326362, FreeBSD CURRENT crashes while
booting the kernel. I'm sorry having no further informations, it
happens on a laptop with reduced space.

At the moment, it seems that a lot of boxes running most recent CURRENT
tend to crash spontanously.

In a more severe case, after upgrading to r326347, the kernel doesn't
boot further - i gets stuck after printing attached USB devices and
then remains frozen forver. USB keyboard works. I tried to boot the old
kernel, but its the same bahaviour. 

The last few changes within the vm system tend to crash FreeBSD also
while installing world. If someone, like me, is sometimes sloppy and
lazy and doing installkernel installworld from multiuser, which worked
for a long time and is, I know, not recommended, will be highly the
victim of a crash while installing! I do not know wether this is worth
a warning (again, within the summertime of this year we had a similkar
saituation).

oh

More information about the svn-src-all mailing list