Created attachment 188137 [details] A patch to check that if_type will be set only to a supported value. For the time being there is only one such value IFT_PPP. The tun device allows setting if_type to any random value, though, it does not reserve appropriate memory structures for anything else but IFT_PPP. When the it_type field gets modified the system later on reasonably assumes the appropriate data structures must be there as well. The lack of suitable data structures will result in pretty much any operation on the device causing a certain panic() with a complaint about "a page fault in kernel mode". In case root allows others to open /dev/tun# (chmod g+rw /dev/tun#) this might become a locally triggered DoS allowing some local users to panic the system at will. They only need to set if_type to e.g. IFT_ETHER and let the program exit. During the post exit cleanup the system will try to close the file descriptor bound to the device which will trip the kernel to accessing on-existent Ethernet related data structures causing "a page fault in kernel mode". Apply the attached patch to add a check that the if_type field will be set only to a supported value. For the time being there is only one such value IFT_PPP. In addition to adding a check for the new if_type value the attached patch also simplifies the check for readable data in the tunpoll() function.
There seems to be an extra, unrelated change in your diff?
Yes indeed there is. It is one which I already explained in the longer description. "In addition to adding a check for the new if_type value the attached patch also simplifies the check for readable data in the tunpoll() function." It is just doing the test whether there is something readable waiting in the queue in a more readable manner, the way it should be done one might say.
Hi, The committer can probably split the patch in two chunks. Looks good to me. --HPS
From what I can see using IFQ_POLL_NOLOCK() is not the same like IFQ_IS_EMPTY() in this case, so this chunk should be skipped. --HPS
A commit references this bug: Author: hselasky Date: Wed Nov 29 09:40:12 UTC 2017 New revision: 326362 URL: https://svnweb.freebsd.org/changeset/base/326362 Log: Disallow TUN and TAP character device IOCTLs to modify the network device type to any value. This can cause page faults and panics due to accessing uninitialized fields in the "struct ifnet" which are specific to the network device type. MFC after: 1 week Found by: jau@iki.fi PR: 223767 Sponsored by: Mellanox Technologies Changes: head/share/man/man4/tap.4 head/share/man/man4/tun.4 head/sys/net/if_tap.c head/sys/net/if_tun.c
Will be MFC'ed next week. Thank you!
A commit references this bug: Author: hselasky Date: Fri Dec 8 15:23:17 UTC 2017 New revision: 326691 URL: https://svnweb.freebsd.org/changeset/base/326691 Log: MFC r326362: Disallow TUN and TAP character device IOCTLs to modify the network device type to any value. This can cause page faults and panics due to accessing uninitialized fields in the "struct ifnet" which are specific to the network device type. Found by: jau@iki.fi PR: 223767 Sponsored by: Mellanox Technologies Changes: _U stable/11/ stable/11/share/man/man4/tap.4 stable/11/share/man/man4/tun.4 stable/11/sys/net/if_tap.c stable/11/sys/net/if_tun.c
A commit references this bug: Author: hselasky Date: Fri Dec 8 15:26:57 UTC 2017 New revision: 326692 URL: https://svnweb.freebsd.org/changeset/base/326692 Log: MFC r326362: Disallow TUN and TAP character device IOCTLs to modify the network device type to any value. This can cause page faults and panics due to accessing uninitialized fields in the "struct ifnet" which are specific to the network device type. Found by: jau@iki.fi PR: 223767 Sponsored by: Mellanox Technologies Changes: _U stable/10/ stable/10/share/man/man4/tap.4 stable/10/share/man/man4/tun.4 stable/10/sys/net/if_tap.c stable/10/sys/net/if_tun.c
A commit references this bug: Author: hselasky Date: Fri Dec 8 15:31:00 UTC 2017 New revision: 326693 URL: https://svnweb.freebsd.org/changeset/base/326693 Log: MFC r326362: Disallow TUN and TAP character device IOCTLs to modify the network device type to any value. This can cause page faults and panics due to accessing uninitialized fields in the "struct ifnet" which are specific to the network device type. Found by: jau@iki.fi PR: 223767 Sponsored by: Mellanox Technologies Changes: _U stable/9/share/ _U stable/9/share/man/ _U stable/9/share/man/man4/ stable/9/share/man/man4/tap.4 stable/9/share/man/man4/tun.4 _U stable/9/sys/ _U stable/9/sys/net/ stable/9/sys/net/if_tap.c stable/9/sys/net/if_tun.c
A commit references this bug: Author: hselasky Date: Fri Dec 8 15:37:37 UTC 2017 New revision: 326694 URL: https://svnweb.freebsd.org/changeset/base/326694 Log: MFC r326362: Disallow TUN and TAP character device IOCTLs to modify the network device type to any value. This can cause page faults and panics due to accessing uninitialized fields in the "struct ifnet" which are specific to the network device type. Found by: jau@iki.fi PR: 223767 Sponsored by: Mellanox Technologies Changes: _U stable/8/share/ _U stable/8/share/man/ _U stable/8/share/man/man4/ stable/8/share/man/man4/tap.4 stable/8/share/man/man4/tun.4 _U stable/8/sys/ _U stable/8/sys/net/ stable/8/sys/net/if_tap.c stable/8/sys/net/if_tun.c