Page MenuHomeFreeBSD

sppp: Fix getting wrong spppreq cmd from ioctl
AcceptedPublic

Authored by zlei on Oct 30 2024, 7:21 AM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Jan 7, 3:36 AM
Unknown Object (File)
Dec 5 2024, 11:30 AM
Unknown Object (File)
Dec 3 2024, 7:15 PM
Unknown Object (File)
Dec 3 2024, 3:36 PM
Unknown Object (File)
Nov 28 2024, 8:58 AM
Unknown Object (File)
Nov 25 2024, 5:04 AM
Unknown Object (File)
Nov 9 2024, 3:20 PM
Unknown Object (File)
Nov 4 2024, 6:02 AM

Details

Reviewers
kib
glebius
Group Reviewers
network
Summary

ifr->ifr_data is supposed to point to a struct spppreq, and the first
member of struct spppreq is cmd which is int type. An user space
struct spppreq spr may be not explicitly zeroed, on 64bit architectures
fuword() or fueword() read 64bit word so garbage (extra 4 bytes) may
be read into kernel space.

Prior to f9d8181868ee, the subcmd is declared as int, on little endian
64bit architectures an implicitly conversion from long (fuword) to int
may overflow (UB), that can happen to trash the garbage (the extra 4 bytes,
high 32 bits). Since f9d8181868ee there is no implicitly conversion so
we end up mismatch subcmd between user space and kernel.

It is a bit hackish to get the value of cmd word via fueword, instead
we refer to it directly from spr->cmd.

This is a direct commit to stable/13 since sppp(4) is not present in
main and stable/14 branches.

PR: 173002
Fixes: f9d8181868ee Fixed yet more ioctl breakage due to the type of ...

Test Plan

Create a sppp interface, check if spppcontrol behave correctly.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

zlei requested review of this revision.Oct 30 2024, 7:21 AM

Is this for stable/13 only? If you care about closing the bug, just go forward and commit it. The driver was removed in recent versions of FreeBSD.

This revision is now accepted and ready to land.Thu, Dec 19, 4:26 PM

Is this for stable/13 only?

Yes.

If you care about closing the bug, just go forward and commit it. The driver was removed in recent versions of FreeBSD.

Well I doubt the value this fix

sys/net/if_spppsubr.c
5058

After re-reading the code, I think I should use fueword32 instead, as rv was not cleared in SPPPIOSDEFS switch branch. My local test only cover SPPPIOGDEFS branch, shame.