From 21e6fd796b765b83afb4869cb49eb219ade8c54d Mon Sep 17 00:00:00 2001 From: des Date: Tue, 10 Sep 2013 10:05:59 +0000 Subject: Fix the length calculation for the final block of a sendfile(2) transmission which could be tricked into rounding up to the nearest page size, leaking up to a page of kernel memory. [13:11] In IPv6 and NetATM, stop SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK at the socket layer rather than pass them on to the link layer without validation or credential checks. [SA-13:12] Prevent cross-mount hardlinks between different nullfs mounts of the same underlying filesystem. [SA-13:13] Security: CVE-2013-5666 Security: FreeBSD-SA-13:11.sendfile Security: CVE-2013-5691 Security: FreeBSD-SA-13:12.ifioctl Security: CVE-2013-5710 Security: FreeBSD-SA-13:13.nullfs Approved by: re --- sys/netnatm/natm.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'sys/netnatm') diff --git a/sys/netnatm/natm.c b/sys/netnatm/natm.c index 681da9c..c611650 100644 --- a/sys/netnatm/natm.c +++ b/sys/netnatm/natm.c @@ -339,6 +339,21 @@ natm_usr_control(struct socket *so, u_long cmd, caddr_t arg, npcb = (struct natmpcb *)so->so_pcb; KASSERT(npcb != NULL, ("natm_usr_control: npcb == NULL")); + switch (cmd) { + case SIOCSIFADDR: + case SIOCSIFBRDADDR: + case SIOCSIFDSTADDR: + case SIOCSIFNETMASK: + /* + * Although we should pass any non-ATM ioctl requests + * down to driver, we filter some legacy INET requests. + * Drivers trust SIOCSIFADDR et al to come from an already + * privileged layer, and do not perform any credentials + * checks or input validation. + */ + return (EINVAL); + } + if (ifp == NULL || ifp->if_ioctl == NULL) return (EOPNOTSUPP); return ((*ifp->if_ioctl)(ifp, cmd, arg)); -- cgit v1.1