src/sys/dev/netmap, branch releng/13.0 FreeBSD source tree netmap: Fix TOCTOU vulnerability in nmreq_copyin 2022-04-05T23:26:02+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2022-04-05T23:26:02+00:00 4996f46e03a442765c56b562c04c6e3ceae0104c The total size of the user-provided nmreq was first computed and then trusted during the copyin. This might lead to kernel memory corruption and escape from jails/containers. Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23084 MFC after: 3 days (cherry picked from commit 393729916564ed13f966e09129a24e6931898d12) (cherry picked from commit 9f600a260a738d87015b2e9722b7b4f228cbd47d) Approved by: so Security: FreeBSD-SA-22:04.netmap 
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.

Reported by: Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative
Security: CVE-2022-23084
MFC after:	3 days

(cherry picked from commit 393729916564ed13f966e09129a24e6931898d12)
(cherry picked from commit 9f600a260a738d87015b2e9722b7b4f228cbd47d)

Approved by:	so
Security:	FreeBSD-SA-22:04.netmap
netmap: Fix integer overflow in nmreq_copyin 2022-04-05T23:26:02+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2022-04-05T23:26:02+00:00 00ca345e83ada8b68e302f5406f9799209872c90 An unsanitized field in an option could be abused, causing an integer overflow followed by kernel memory corruption. This might be used to escape jails/containers. Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro Zero Day Initiative Security: CVE-2022-23085 (cherry picked from commit 694ea59c7021c25417e6d516362d2f59b4e2c343) (cherry picked from commit 9df8dd3ea36c8b3abe8fc182647472ca9cd83efd) Approved by: so Security: FreeBSD-SA-22:04.netmap 
An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.

Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro
Zero Day Initiative
Security: CVE-2022-23085

(cherry picked from commit 694ea59c7021c25417e6d516362d2f59b4e2c343)
(cherry picked from commit 9df8dd3ea36c8b3abe8fc182647472ca9cd83efd)

Approved by:	so
Security:	FreeBSD-SA-22:04.netmap
netmap: fix issues in nm_os_extmem_create() 2021-03-23T22:05:01+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-03-20T17:15:50+00:00 4ec92bce4ecea5fbd21757f1938ec1fd00d7de98 - Call vm_object_reference() before vm_map_lookup_done(). - Use vm_mmap_to_errno() to convert vm_map_* return values to errno. - Fix memory leak of e->obj. Approved by: re (gjb) Reported by: markj Reviewed by: markj MFC after: 1 week (cherry picked from commit ee7ffaa2e6e08b63efb4673610875d40964d5058) (cherry picked from commit 3e4127f8f2933029034ac618a0013f434cb4a420) 
- Call vm_object_reference() before vm_map_lookup_done().
- Use vm_mmap_to_errno() to convert vm_map_* return values to errno.
- Fix memory leak of e->obj.

Approved by:	re (gjb)
Reported by:	markj
Reviewed by:	markj
MFC after:	1 week

(cherry picked from commit ee7ffaa2e6e08b63efb4673610875d40964d5058)
(cherry picked from commit 3e4127f8f2933029034ac618a0013f434cb4a420)
netmap: fix memory leak in NETMAP_REQ_PORT_INFO_GET 2021-03-23T22:04:29+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-03-15T17:39:18+00:00 f7e3976ed0336b338ae83cfaef68ef5094532040 The netmap_ioctl() function has a reference counting bug in case of NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`, the function does not decrease the refcount of "nmd", which is increased by netmap_mem_find(), causing a refcount leak. Approved by: re (gjb) Reported by: Xiyu Yang <sherllyyang00@gmail.com> Submitted by: Carl Smith <carl.smith@alliedtelesis.co.nz> MFC after: 3 days PR: 254311 (cherry picked from commit 0ab5902e8ad93d0a9341dcce386b6c571ee02173) (cherry picked from commit 120a4bd4e9d05147a9774a2ca4b4eff48e062442) 
The netmap_ioctl() function has a reference counting bug in case of
NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
the function does not decrease the refcount of "nmd", which is
increased by netmap_mem_find(), causing a refcount leak.

Approved by:	re (gjb)
Reported by:	Xiyu Yang <sherllyyang00@gmail.com>
Submitted by:	Carl Smith <carl.smith@alliedtelesis.co.nz>
MFC after: 3 days
PR:	254311

(cherry picked from commit 0ab5902e8ad93d0a9341dcce386b6c571ee02173)
(cherry picked from commit 120a4bd4e9d05147a9774a2ca4b4eff48e062442)
netmap: simplify parameter passing 2021-01-31T08:53:06+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-01-24T21:59:02+00:00 e4c81e46acc0dc34fa6a680ad06f9b003675f86d Changes imported from the netmap github. (cherry picked from commit ee0005f11f2b38a714bc66b7d79832108f6fee77) 
Changes imported from the netmap github.

(cherry picked from commit ee0005f11f2b38a714bc66b7d79832108f6fee77)
netmap: vtnet: fix RX initialization after netmap_reset() 2021-01-11T21:38:32+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-01-11T21:38:32+00:00 3005e10ddbfbec3ecf46a080607bb0d85986eee5 At device reset, we must not publish those netmap receive buffers that are owned by userspace (nm_kr_rxspace). MFC after: 1 week 
At device reset, we must not publish those netmap receive buffers
that are owned by userspace (nm_kr_rxspace).

MFC after:	1 week
netmap: restore hwofs and support it in iflib 2021-01-10T22:51:15+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-01-10T22:49:37+00:00 55f0ad5fdee1a779d6889481ba591a819081b9ca Restore the hwofs functionality temporarily disabled by 7ba6ecf216fb15e8b147db2 to prevent issues with iflib. This patch brings the necessary changes to iflib to enable howfs to allow interface restarts without disrupting netmap applications actively using its rings. After this change, it becomes possible for multiple non-cooperating netmap applications to use non-overlapping subsets of the available netmap rings without clashing with each other. PR: 252453 MFC after: 1 week 
Restore the hwofs functionality temporarily disabled by
7ba6ecf216fb15e8b147db2 to prevent issues with iflib.
This patch brings the necessary changes to iflib to
enable howfs to allow interface restarts without
disrupting netmap applications actively using its
rings.
After this change, it becomes possible for multiple
non-cooperating netmap applications to use non-overlapping
subsets of the available netmap rings without clashing
with each other.

PR:		252453
MFC after:	1 week
netmap: vtnet: enable/disable krings on any interface reinit 2021-01-10T14:10:09+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-01-10T14:09:00+00:00 bb714db6d39583a9fbf5d11849c5e2365e7c0d80 See 3d65fd97e85ab807f3b for a detailed explanation. PR: 252453 MFC after: 1 week 
See 3d65fd97e85ab807f3b for a detailed explanation.

PR:             252453
MFC after:      1 week
netmap: vtnet: stop krings during interface reset 2021-01-09T22:34:52+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-01-09T22:34:10+00:00 9ac59d42c0b4b6cd9c36a5dace7f49753c2e175a Similarly to what done for iflib in 1d238b07d5d4d9660ae0e, this patch prevents access to the krings during the interface reset triggered by netmap_register(). MFC after: 1 week 
Similarly to what done for iflib in 1d238b07d5d4d9660ae0e,
this patch prevents access to the krings during the interface
reset triggered by netmap_register().

MFC after:	1 week
netmap: refactor netmap_reset 2021-01-09T22:07:24+00:00 Vincenzo Maffione vmaffione@FreeBSD.org 2021-01-09T22:07:24+00:00 7ba6ecf216fb15e8b147db268b91d9b82c5a0682 The netmap_reset() function is meant to be called by the driver when they initialize (or re-initialize) a hardware ring. However, since the introduction of support for opening (in netmap mode) a subset of the available rings, netmap_reset() may be called multiple times on actively used rings, causing both kring and netmap ring to transition to an inconsistent state. This changes improves the situation by resetting all the indices fields of the kring to 0, as expected after the reinitialization of a hardware ring. PR: 252518 MFC after: 1 week 
The netmap_reset() function is meant to be called by the driver
when they initialize (or re-initialize) a hardware ring.
However, since the introduction of support for opening (in
netmap mode) a subset of the available rings, netmap_reset()
may be called multiple times on actively used rings, causing
both kring and netmap ring to transition to an inconsistent
state.
This changes improves the situation by resetting all the
indices fields of the kring to 0, as expected after the
reinitialization of a hardware ring.

PR:	    252518
MFC after:  1 week