Change Details

The SIOCDIFADDR{,_IN6} ioctls take an ifreq structure object, not an ifaliasreq/in_aliasreq/in6_aliasreq structure object, as their argument. On CHERI, the incorrect calls using the in6_aliasreq object result in CHERI capability violations. A pointer to the ifra_addr field in in6_aliasreq cast to the ifru_addr union member of in6_ifreq results in bounds being set to the union's larger size. Such bounds exceed the bounds of of in6_aliasreq object and the bounds-setting instruction clears a tag of the object's capability. Obtained from: CheriBSD

The SIOCDIFADDR{,_IN6} ioctls take an ifreq structure object, not an ifaliasreq/in_aliasreq/in6_aliasreq structure object, as their argument. As opposed to ifaliasreq/in_aliasreq/in6_aliasreq used by SIOCAIFADDR{,_IN6}, the ifreq/in6_ifreq structures used by the SIOCDIFADDR{,_IN6} ioctls do not include a separate field for a broadcast address and other values required to add an address to a network interface with SIOCAIFADDR{,_IN6}. Whilst this issue is not specific to CHERI-extended architectures, it was first observed on CheriBSD running on Arm Morello. The incorrect calls using the in6_aliasreq object result in CHERI capability violations. A pointer to the ifra_addr field in in6_aliasreq cast to the ifru_addr union member of in6_ifreq results in bounds being set to the union's larger size. Such bounds exceed the bounds of of in6_aliasreq object and the bounds-setting instruction clears a tag of the object's capability.

The SIOCDIFADDR{,_IN6} ioctls take an ifreq structure object, not an ifaliasreq/in_aliasreq/in6_aliasreq structure object, as their argument. argument. On CHERI, the incorrect calls using the As opposed to ifaliasreq/in_aliasreq/in6_aliasreq object result inused by CHERI capability violations. SIOCAIFADDR{,_IN6}, A pointer to the ifra_addr field inthe ifreq/in6_ifreq structures used by the in6_aliasreq cast to the ifru_addr union member of in6_ifreq results in SIOCDIFADDR{,_IN6} ioctls do not include a separate field for a bounds being set to the union's larger size. Such bounds exceed the broadcast address and other values required to add an address to a bounds of of in6_aliasreq object and the bounds-setting instruction network interface with SIOCAIFADDR{,_IN6}. clears a tag of the object's capability. Obtained from: CheriBSD Whilst this issue is not specific to CHERI-extended architectures, it was first observed on CheriBSD running on Arm Morello. The incorrect calls using the in6_aliasreq object result in CHERI capability violations. A pointer to the ifra_addr field in in6_aliasreq cast to the ifru_addr union member of in6_ifreq results in bounds being set to the union's larger size. Such bounds exceed the bounds of of in6_aliasreq object and the bounds-setting instruction clears a tag of the object's capability.