diff options
author | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2022-03-16 06:57:54 +0000 |
---|---|---|
committer | Vincenzo Maffione <vmaffione@FreeBSD.org> | 2022-03-16 06:57:54 +0000 |
commit | 694ea59c7021c25417e6d516362d2f59b4e2c343 (patch) | |
tree | 37ba93a0db0078308cf2b87e5407f91345fa1291 | |
parent | adbf7727b3a2aad3c2faa6e543ee7fa7a6c9a3d5 (diff) | |
download | src-694ea59c7021c25417e6d516362d2f59b4e2c343.tar.gz src-694ea59c7021c25417e6d516362d2f59b4e2c343.zip |
netmap: Fix integer overflow in nmreq_copyin
An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.
Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro
Zero Day Initiative
Security: CVE-2022-23085
-rw-r--r-- | sys/dev/netmap/netmap.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/sys/dev/netmap/netmap.c b/sys/dev/netmap/netmap.c index 17b6eeaac085..b062b1ba7737 100644 --- a/sys/dev/netmap/netmap.c +++ b/sys/dev/netmap/netmap.c @@ -3362,7 +3362,7 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size) int nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) { - size_t rqsz, optsz, bufsz; + size_t rqsz, optsz, bufsz, optbodysz; int error = 0; char *ker = NULL, *p; struct nmreq_option **next, *src, **opt_tab; @@ -3410,8 +3410,18 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user) error = copyin(src, &buf, sizeof(*src)); if (error) goto out_err; + /* Validate nro_size to avoid integer overflow of optsz and bufsz. */ + if (buf.nro_size > NETMAP_REQ_MAXSIZE) { + error = EMSGSIZE; + goto out_err; + } optsz += sizeof(*src); - optsz += nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); + optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size); + if (optbodysz > NETMAP_REQ_MAXSIZE) { + error = EMSGSIZE; + goto out_err; + } + optsz += optbodysz; if (rqsz + optsz > NETMAP_REQ_MAXSIZE) { error = EMSGSIZE; goto out_err; |