upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

netmap: Fix integer overflow in nmreq_copyin

Browse source 
An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.

Reported by: Reno Robert and Lucas Leong (@_wmliang_) of Trend Micro
Zero Day Initiative
Security: CVE-2022-23085
This commit is contained in:
Vincenzo Maffione 2022-03-16 06:57:54 +00:00
parent adbf7727b3
commit 694ea59c70
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
sys/dev/netmap/netmap.c
View file

@ -3362,7 +3362,7 @@ nmreq_opt_size_by_type(uint32_t nro_reqtype, uint64_t nro_size)
int
nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
{
size_t rqsz, optsz, bufsz;
size_t rqsz, optsz, bufsz, optbodysz;
int error = 0;
char *ker = NULL, *p;
struct nmreq_option **next, *src, **opt_tab;
@ -3410,8 +3410,18 @@ nmreq_copyin(struct nmreq_header *hdr, int nr_body_is_user)
error = copyin(src, &buf, sizeof(*src));
if (error)
goto out_err;
/* Validate nro_size to avoid integer overflow of optsz and bufsz. */
if (buf.nro_size > NETMAP_REQ_MAXSIZE) {
error = EMSGSIZE;
goto out_err;
}
optsz += sizeof(*src);
optsz += nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size);
optbodysz = nmreq_opt_size_by_type(buf.nro_reqtype, buf.nro_size);
if (optbodysz > NETMAP_REQ_MAXSIZE) {
error = EMSGSIZE;
goto out_err;
}
optsz += optbodysz;
if (rqsz + optsz > NETMAP_REQ_MAXSIZE) {
error = EMSGSIZE;
goto out_err;