Author: des
Date: Tue Sep 10 10:15:33 2013
New Revision: 255448
URL: http://svnweb.freebsd.org/changeset/base/255448
Log:
In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
and SIOCSIFNETMASK at the socket layer rather than pass them on to the
link layer without validation or credential checks. [SA-13:12]
Prevent cross-mount hardlinks between different nullfs mounts of the
same underlying filesystem. [SA-13:13]
Security: CVE-2013-5691
Security: FreeBSD-SA-13:12.ifioctl
Security: CVE-2013-5710
Security: FreeBSD-SA-13:13.nullfs
Approved by: so
Modified:
releng/9.1/UPDATING
releng/9.1/sys/conf/newvers.sh
releng/9.1/sys/fs/nullfs/null_vnops.c
releng/9.1/sys/net/if.c
releng/9.1/sys/netinet6/in6.c
releng/9.1/sys/netnatm/natm.c
Modified: releng/9.1/UPDATING
==============================================================================
--- releng/9.1/UPDATING Tue Sep 10 10:14:19 2013 (r255447)
+++ releng/9.1/UPDATING Tue Sep 10 10:15:33 2013 (r255448)
@@ -9,6 +9,17 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20130910: p7 FreeBSD-SA-13:12.ifioctl
+ FreeBSD-SA-13:13.nullfs
+
+ In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR,
+ SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather
+ than pass them on to the link layer without validation or
+ credential checks. [SA-13:12]
+
+ Prevent cross-mount hardlinks between different nullfs mounts
+ of the same underlying filesystem. [SA-13:13]
+
20130822: p6 FreeBSD-SA-13:09.ip_multicast
FreeBSD-SA-13:10.sctp
FreeBSD-EN-13:03.mfi
Modified: releng/9.1/sys/conf/newvers.sh
==============================================================================
--- releng/9.1/sys/conf/newvers.sh Tue Sep 10 10:14:19 2013
(r255447)
+++ releng/9.1/sys/conf/newvers.sh Tue Sep 10 10:15:33 2013
(r255448)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.1"
-BRANCH="RELEASE-p6"
+BRANCH="RELEASE-p7"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.1/sys/fs/nullfs/null_vnops.c
==============================================================================
--- releng/9.1/sys/fs/nullfs/null_vnops.c Tue Sep 10 10:14:19 2013
(r255447)
+++ releng/9.1/sys/fs/nullfs/null_vnops.c Tue Sep 10 10:15:33 2013
(r255448)
@@ -815,6 +815,15 @@ null_vptocnp(struct vop_vptocnp_args *ap
return (error);
}
+static int
+null_link(struct vop_link_args *ap)
+{
+
+ if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
+ return (EXDEV);
+ return (null_bypass((struct vop_generic_args *)ap));
+}
+
/*
* Global vfs data structures
*/
@@ -828,6 +837,7 @@ struct vop_vector null_vnodeops = {
.vop_getwritemount = null_getwritemount,
.vop_inactive = null_inactive,
.vop_islocked = vop_stdislocked,
+ .vop_link = null_link,
.vop_lock1 = null_lock,
.vop_lookup = null_lookup,
.vop_open = null_open,
Modified: releng/9.1/sys/net/if.c
==============================================================================
--- releng/9.1/sys/net/if.c Tue Sep 10 10:14:19 2013 (r255447)
+++ releng/9.1/sys/net/if.c Tue Sep 10 10:15:33 2013 (r255448)
@@ -2542,11 +2542,23 @@ ifioctl(struct socket *so, u_long cmd, c
CURVNET_RESTORE();
return (EOPNOTSUPP);
}
+
+ /*
+ * Pass the request on to the socket control method, and if the
+ * latter returns EOPNOTSUPP, directly to the interface.
+ *
+ * Make an exception for the legacy SIOCSIF* requests. Drivers
+ * trust SIOCSIFADDR et al to come from an already privileged
+ * layer, and do not perform any credentials checks or input
+ * validation.
+ */
#ifndef COMPAT_43
error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
data,
ifp, td));
- if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
+ if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
+ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
error = (*ifp->if_ioctl)(ifp, cmd, data);
#else
{
@@ -2590,7 +2602,9 @@ ifioctl(struct socket *so, u_long cmd, c
data,
ifp, td));
if (error == EOPNOTSUPP && ifp != NULL &&
- ifp->if_ioctl != NULL)
+ ifp->if_ioctl != NULL &&
+ cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+ cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
error = (*ifp->if_ioctl)(ifp, cmd, data);
switch (ocmd) {
Modified: releng/9.1/sys/netinet6/in6.c
==============================================================================
--- releng/9.1/sys/netinet6/in6.c Tue Sep 10 10:14:19 2013
(r255447)
+++ releng/9.1/sys/netinet6/in6.c Tue Sep 10 10:15:33 2013
(r255448)
@@ -421,6 +421,18 @@ in6_control(struct socket *so, u_long cm
case SIOCGIFSTAT_ICMP6:
sa6 = &ifr->ifr_addr;
break;
+ case SIOCSIFADDR:
+ case SIOCSIFBRDADDR:
+ case SIOCSIFDSTADDR:
+ case SIOCSIFNETMASK:
+ /*
+ * Although we should pass any non-INET6 ioctl requests
+ * down to driver, we filter some legacy INET requests.
+ * Drivers trust SIOCSIFADDR et al to come from an already
+ * privileged layer, and do not perform any credentials
+ * checks or input validation.
+ */
+ return (EINVAL);
default:
sa6 = NULL;
break;
Modified: releng/9.1/sys/netnatm/natm.c
==============================================================================
--- releng/9.1/sys/netnatm/natm.c Tue Sep 10 10:14:19 2013
(r255447)
+++ releng/9.1/sys/netnatm/natm.c Tue Sep 10 10:15:33 2013
(r255448)
@@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_lo
npcb = (struct natmpcb *)so->so_pcb;
KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
+ switch (cmd) {
+ case SIOCSIFADDR:
+ case SIOCSIFBRDADDR:
+ case SIOCSIFDSTADDR:
+ case SIOCSIFNETMASK:
+ /*
+ * Although we should pass any non-ATM ioctl requests
+ * down to driver, we filter some legacy INET requests.
+ * Drivers trust SIOCSIFADDR et al to come from an already
+ * privileged layer, and do not perform any credentials
+ * checks or input validation.
+ */
+ return (EINVAL);
+ }
+
if (ifp == NULL || ifp->if_ioctl == NULL)
return (EOPNOTSUPP);
return ((*ifp->if_ioctl)(ifp, cmd, arg));
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
