From 1a05c762b9c203dec97fc053448eab98b525b088 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Tue, 10 Sep 2013 10:05:59 +0000
Subject: Fix the length calculation for the final block of a sendfile(2)
 transmission which could be tricked into rounding up to the nearest page
 size, leaking up to a page of kernel memory.  [13:11]

In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR
and SIOCSIFNETMASK at the socket layer rather than pass them on to the
link layer without validation or credential checks.  [SA-13:12]

Prevent cross-mount hardlinks between different nullfs mounts of the
same underlying filesystem.  [SA-13:13]

Security:	CVE-2013-5666
Security:	FreeBSD-SA-13:11.sendfile
Security:	CVE-2013-5691
Security:	FreeBSD-SA-13:12.ifioctl
Security:	CVE-2013-5710
Security:	FreeBSD-SA-13:13.nullfs
Approved by:	re
---
 sys/fs/nullfs/null_vnops.c | 10 ++++++++++
 sys/kern/uipc_syscalls.c   |  9 ++++-----
 sys/net/if.c               | 18 ++++++++++++++++--
 sys/netinet6/in6.c         | 12 ++++++++++++
 sys/netnatm/natm.c         | 15 +++++++++++++++
 5 files changed, 57 insertions(+), 7 deletions(-)

diff --git a/sys/fs/nullfs/null_vnops.c b/sys/fs/nullfs/null_vnops.c
index 70402e35f1db..cf3762eda39d 100644
--- a/sys/fs/nullfs/null_vnops.c
+++ b/sys/fs/nullfs/null_vnops.c
@@ -858,6 +858,15 @@ null_vptocnp(struct vop_vptocnp_args *ap)
 	return (error);
 }
 
+static int
+null_link(struct vop_link_args *ap)
+{
+
+	if (ap->a_tdvp->v_mount != ap->a_vp->v_mount)
+		return (EXDEV);
+	return (null_bypass((struct vop_generic_args *)ap));
+}
+
 /*
  * Global vfs data structures
  */
@@ -871,6 +880,7 @@ struct vop_vector null_vnodeops = {
 	.vop_getwritemount =	null_getwritemount,
 	.vop_inactive =		null_inactive,
 	.vop_islocked =		vop_stdislocked,
+	.vop_link =		null_link,
 	.vop_lock1 =		null_lock,
 	.vop_lookup =		null_lookup,
 	.vop_open =		null_open,
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 8229390da60a..f88677c1ca25 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -2221,11 +2221,10 @@ retry_space:
 			 * or the passed in nbytes.
 			 */
 			pgoff = (vm_offset_t)(off & PAGE_MASK);
-			if (nbytes)
-				rem = (nbytes - fsbytes - loopbytes);
-			else
-				rem = va.va_size -
-				    offset - fsbytes - loopbytes;
+			rem = va.va_size - offset;
+			if (nbytes != 0)
+				rem = omin(rem, nbytes);
+			rem -= fsbytes + loopbytes;
 			xfsize = omin(PAGE_SIZE - pgoff, rem);
 			xfsize = omin(space - loopbytes, xfsize);
 			if (xfsize <= 0) {
diff --git a/sys/net/if.c b/sys/net/if.c
index 2cb3da013c21..0356ec7fbf46 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -2553,11 +2553,23 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)
 		CURVNET_RESTORE();
 		return (EOPNOTSUPP);
 	}
+
+	/*
+	 * Pass the request on to the socket control method, and if the
+	 * latter returns EOPNOTSUPP, directly to the interface.
+	 *
+	 * Make an exception for the legacy SIOCSIF* requests.  Drivers
+	 * trust SIOCSIFADDR et al to come from an already privileged
+	 * layer, and do not perform any credentials checks or input
+	 * validation.
+	 */
 #ifndef COMPAT_43
 	error = ((*so->so_proto->pr_usrreqs->pru_control)(so, cmd,
 								 data,
 								 ifp, td));
-	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL)
+	if (error == EOPNOTSUPP && ifp != NULL && ifp->if_ioctl != NULL &&
+	    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+	    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 		error = (*ifp->if_ioctl)(ifp, cmd, data);
 #else
 	{
@@ -2601,7 +2613,9 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)
 								   data,
 								   ifp, td));
 		if (error == EOPNOTSUPP && ifp != NULL &&
-		    ifp->if_ioctl != NULL)
+		    ifp->if_ioctl != NULL &&
+		    cmd != SIOCSIFADDR && cmd != SIOCSIFBRDADDR &&
+		    cmd != SIOCSIFDSTADDR && cmd != SIOCSIFNETMASK)
 			error = (*ifp->if_ioctl)(ifp, cmd, data);
 		switch (ocmd) {
 
diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index 9d9993091c7c..e5c62df81a20 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -431,6 +431,18 @@ in6_control(struct socket *so, u_long cmd, caddr_t data,
 	case SIOCGIFSTAT_ICMP6:
 		sa6 = &ifr->ifr_addr;
 		break;
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-INET6 ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
 	default:
 		sa6 = NULL;
 		break;
diff --git a/sys/netnatm/natm.c b/sys/netnatm/natm.c
index 681da9cd0595..c61165015536 100644
--- a/sys/netnatm/natm.c
+++ b/sys/netnatm/natm.c
@@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_long cmd, caddr_t arg,
 	npcb = (struct natmpcb *)so->so_pcb;
 	KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL"));
 
+	switch (cmd) {
+	case SIOCSIFADDR:
+	case SIOCSIFBRDADDR:
+	case SIOCSIFDSTADDR:
+	case SIOCSIFNETMASK:
+		/*
+		 * Although we should pass any non-ATM ioctl requests
+		 * down to driver, we filter some legacy INET requests.
+		 * Drivers trust SIOCSIFADDR et al to come from an already
+		 * privileged layer, and do not perform any credentials
+		 * checks or input validation.
+		 */
+		return (EINVAL);
+	}
+
 	if (ifp == NULL || ifp->if_ioctl == NULL)
 		return (EOPNOTSUPP);
 	return ((*ifp->if_ioctl)(ifp, cmd, arg));
-- 
cgit v1.2.3