Differential D24431

pf: Improve ioctl() input validation
ClosedPublic
Actions

Authored by kp on Apr 15 2020, 6:47 PM.

Details

Reviewers

None

Group Reviewers

network

Commits

rS360098: pf: Improve ioctl() input validation

Summary

Both DIOCCHANGEADDR and DIOCADDADDR take a struct pf_pooladdr from
userspace. They failed to validate the dyn pointer contained in its
struct pf_addr_wrap member structure.

This triggered assertion failures under fuzz testing in
pfi_dynaddr_setup(). Happily the dyn variable was overruled there, but
we should verify that it's set to NULL anyway.

Reported-by: syzbot+93e93150bc29f9b4b85f@syzkaller.appspotmail.com

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Apr 15 2020, 6:47 PM

Herald added subscribers: melifaro, farrokhi. · View Herald TranscriptApr 15 2020, 6:47 PM

Harbormaster completed remote builds in B30519: Diff 70615.Apr 15 2020, 6:47 PM

Seems fine to me, although I'm wondering about having the kernel set it to NULL on entry vs requiring that it's NULL.

I think we want to check for NULL, as a robustness / future proofing measure.
Imagine that we eventually want to start using this variable for input (I don't know why, but for the sake of argument...), if we accepted random input there we could never tell the difference between an old binary (pre-using 'dyn' as input) passing garbage, and a new one passing a valid value.

This revision was not accepted when it landed; it landed in state Needs Review.Apr 19 2020, 4:10 PM

Closed by commit rS360098: pf: Improve ioctl() input validation (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rS360098: pf: Improve ioctl() input validation.

Herald added a subscriber: imp. · View Herald TranscriptApr 19 2020, 4:10 PM