On Sun, Nov 17, 2019 at 02:17:14PM +0000, Stuart Henderson wrote: > On 2019/11/17 14:44, Sebastien Marie wrote: > > I am unsure if the problem is kernel related or in dhcpcd ... > > I think this should do the trick (not tested yet). I wonder how many > more of these are in ports.
Our kernel had weak address checks. I suspect this causes some syzkaller crashes when theses addresses are copied into the kernel and are used later in a strange way. I think the best way to handle it, is to make the kernel strict and fix userland. If the kernel would allow the sloppiest userland program to succeed, creating security would be hard. So patching dhcpcd is the right approach. Thanks for finding. OK bluhm@ > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/dhcpcd/Makefile,v > retrieving revision 1.63 > diff -u -p -r1.63 Makefile > --- Makefile 13 Nov 2019 12:18:09 -0000 1.63 > +++ Makefile 17 Nov 2019 14:15:33 -0000 > @@ -3,6 +3,7 @@ > COMMENT= DHCPv4/IPv4LL/IPv6RS/DHCPv6 quad stack client > > DISTNAME= dhcpcd-8.1.2 > +REVISION= 0 > > CATEGORIES= net > EXTRACT_SUFX= .tar.xz > Index: patches/patch-src_if-bsd_c > =================================================================== > RCS file: patches/patch-src_if-bsd_c > diff -N patches/patch-src_if-bsd_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_if-bsd_c 17 Nov 2019 14:15:33 -0000 > @@ -0,0 +1,13 @@ > +$OpenBSD$ > + > +Index: src/if-bsd.c > +--- src/if-bsd.c.orig > ++++ src/if-bsd.c > +@@ -1043,6 +1043,7 @@ if_addrflags6(const struct interface *ifp, const struc > + strlcpy(ifr6.ifr_name, ifp->name, sizeof(ifr6.ifr_name)); > + ifr6.ifr_addr.sin6_family = AF_INET6; > + ifr6.ifr_addr.sin6_addr = *addr; > ++ ifr6.ifr_addr.sin6_len = sizeof(ifr6.ifr_addr); > + ifa_setscope(&ifr6.ifr_addr, ifp->index); > + priv = (struct priv *)ifp->ctx->priv; > + if (ioctl(priv->pf_inet6_fd, SIOCGIFAFLAG_IN6, &ifr6) != -1)
