Page MenuHomeFreeBSD

sppp: Fix getting wrong spppreq cmd from ioctl
Needs ReviewPublic

Authored by zlei on Oct 30 2024, 7:21 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 28, 8:58 AM
Unknown Object (File)
Mon, Nov 25, 5:04 AM
Unknown Object (File)
Sat, Nov 9, 3:20 PM
Unknown Object (File)
Mon, Nov 4, 6:02 AM
Unknown Object (File)
Oct 30 2024, 7:25 AM

Details

Reviewers
kib
Group Reviewers
network
Summary

ifr->ifr_data is supposed to point to a struct spppreq, and the first
member of struct spppreq is cmd which is int type. An user space
struct spppreq spr may be not explicitly zeroed, on 64bit architectures
fuword() or fueword() read 64bit word so garbage (extra 4 bytes) may
be read into kernel space.

Prior to f9d8181868ee, the subcmd is declared as int, on little endian
64bit architectures an implicitly conversion from long (fuword) to int
may overflow (UB), that can happen to trash the garbage (the extra 4 bytes,
high 32 bits). Since f9d8181868ee there is no implicitly conversion so
we end up mismatch subcmd between user space and kernel.

It is a bit hackish to get the value of cmd word via fueword, instead
we refer to it directly from spr->cmd.

This is a direct commit to stable/13 since sppp(4) is not present in
main and stable/14 branches.

PR: 173002
Fixes: f9d8181868ee Fixed yet more ioctl breakage due to the type of ...

Test Plan

Create a sppp interface, check if spppcontrol behave correctly.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped