[src/trunk]: src/sys/net ifioctl(9): Don't touch ifconf or ifreq until comman...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/0941adbfd1a2
branches:  trunk
changeset: 368369:0941adbfd1a2
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Thu Jul 07 18:17:33 2022 +0000

description:
ifioctl(9): Don't touch ifconf or ifreq until command is validated.

sys_ioctl validates the data pointer according to the command's size
and direction.  But userland may ioctl commands other than
OSIOCGIFCONF or OOSIOCGIFCONF -- and if userland passes an IOC_VOID
command, the argument is passed through verbatim and may be null.

Reported-by: syzbot+19b1bf83e5481273eafc%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=f4c91a7dcd31901c80d91af6ed01456faf0a7286

Reported-by: syzbot+442c033feb784d055185%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=4a3a4b92dbe9695046ff17a5474cef52aed23e0b

Reported-by: syzbot+4c87d0cdf7025741ea7a%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=3e5f42c998e43ad42da40dec3c7873e6aae187e4

diffstat:

 sys/compat/common/uipc_syscalls_40.c |  6 +++---
 sys/net/if.c                         |  7 +++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diffs (59 lines):

diff -r 3f737c49b7ec -r 0941adbfd1a2 sys/compat/common/uipc_syscalls_40.c
--- a/sys/compat/common/uipc_syscalls_40.c      Thu Jul 07 18:11:29 2022 +0000
+++ b/sys/compat/common/uipc_syscalls_40.c      Thu Jul 07 18:17:33 2022 +0000
@@ -1,9 +1,9 @@
-/*     $NetBSD: uipc_syscalls_40.c,v 1.23 2020/07/16 15:02:08 msaitoh Exp $    */
+/*     $NetBSD: uipc_syscalls_40.c,v 1.24 2022/07/07 18:17:33 riastradh Exp $  */
 
 /* written by Pavel Cahyna, 2006. Public domain. */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.23 2020/07/16 15:02:08 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.24 2022/07/07 18:17:33 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_compat_netbsd.h"
@@ -41,7 +41,6 @@
        struct oifreq ifr, *ifrp = NULL;
        int space = 0, error = 0;
        const int sz = (int)sizeof(ifr);
-       const bool docopy = ifc->ifc_req != NULL;
        int s;
        int bound;
        struct psref psref;
@@ -54,6 +53,7 @@
                return ENOSYS;
        }
 
+       const bool docopy = ifc->ifc_req != NULL;
        if (docopy) {
                if (ifc->ifc_len < 0)
                        return EINVAL;
diff -r 3f737c49b7ec -r 0941adbfd1a2 sys/net/if.c
--- a/sys/net/if.c      Thu Jul 07 18:11:29 2022 +0000
+++ b/sys/net/if.c      Thu Jul 07 18:17:33 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if.c,v 1.505 2022/05/22 11:27:36 andvar Exp $  */
+/*     $NetBSD: if.c,v 1.506 2022/07/07 18:17:33 riastradh Exp $       */
 
 /*-
  * Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.505 2022/05/22 11:27:36 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.506 2022/07/07 18:17:33 riastradh Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -3450,6 +3450,9 @@
                }
        }
 
+       if ((cmd & IOC_IN) == 0 || IOCPARM_LEN(cmd) < sizeof(ifr->ifr_name))
+               return EINVAL;
+
        bound = curlwp_bind();
        ifp = if_get(ifr->ifr_name, &psref);
        if (ifp == NULL) {