another copyout while holding net/pf lock in pfioctl

Thu, 28 Apr 2022 10:51:49 -0700 

Hi tech@,

syzkaller reported pfi_get_interfaces
https://syzkaller.appspot.com/bug?id=963ef41930bb84af584be3bf910a3f67d65581a0
which does a copyout while holding NET and PF lock.

The following diff should address this.

mbuhl


Index: sys/net/pf_if.c
===================================================================
RCS file: /cvs/src/sys/net/pf_if.c,v
retrieving revision 1.103
diff -u -p -r1.103 pf_if.c
--- sys/net/pf_if.c     26 Dec 2021 01:00:32 -0000      1.103
+++ sys/net/pf_if.c     28 Apr 2022 16:36:49 -0000
@@ -755,7 +755,7 @@ pfi_update_status(const char *name, stru
        }
 }
 
-int
+void
 pfi_get_ifaces(const char *name, struct pfi_kif *buf, int *size)
 {
        struct pfi_kif  *p, *nextp;
@@ -769,16 +769,12 @@ pfi_get_ifaces(const char *name, struct 
                        if (!p->pfik_tzero)
                                p->pfik_tzero = gettime();
                        pfi_kif_ref(p, PFI_KIF_REF_RULE);
-                       if (copyout(p, buf++, sizeof(*buf))) {
-                               pfi_kif_unref(p, PFI_KIF_REF_RULE);
-                               return (EFAULT);
-                       }
+                       memcpy(buf++, p, sizeof(*buf));
                        nextp = RB_NEXT(pfi_ifhead, &pfi_ifs, p);
                        pfi_kif_unref(p, PFI_KIF_REF_RULE);
                }
        }
        *size = n;
-       return (0);
 }
 
 int
Index: sys/net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.379
diff -u -p -r1.379 pf_ioctl.c
--- sys/net/pf_ioctl.c  9 Apr 2022 13:15:44 -0000       1.379
+++ sys/net/pf_ioctl.c  28 Apr 2022 17:21:47 -0000
@@ -2921,18 +2921,30 @@ pfioctl(dev_t dev, u_long cmd, caddr_t a
                break;
 
        case DIOCIGETIFACES: {
-               struct pfioc_iface *io = (struct pfioc_iface *)addr;
+               struct pfioc_iface      *io = (struct pfioc_iface *)addr;
+               struct pfi_kif          *kif_buf;
+               int                      apfiio_size = io->pfiio_size;
 
                if (io->pfiio_esize != sizeof(struct pfi_kif)) {
                        error = ENODEV;
                        goto fail;
                }
+
+               if ((kif_buf = mallocarray(sizeof(*kif_buf), apfiio_size,
+                   M_TEMP, M_WAITOK|M_CANFAIL)) == NULL) {
+                       error = EINVAL;
+                       goto fail;
+               }
+
                NET_LOCK();
                PF_LOCK();
-               error = pfi_get_ifaces(io->pfiio_name, io->pfiio_buffer,
-                   &io->pfiio_size);
+               pfi_get_ifaces(io->pfiio_name, kif_buf, &io->pfiio_size);
                PF_UNLOCK();
                NET_UNLOCK();
+               if (copyout(kif_buf, io->pfiio_buffer, sizeof(*kif_buf) *
+                   io->pfiio_size))
+                       error = EFAULT;
+               free(kif_buf, M_TEMP, sizeof(*kif_buf) * apfiio_size);
                break;
        }
 
Index: sys/net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.506
diff -u -p -r1.506 pfvar.h
--- sys/net/pfvar.h     21 Apr 2022 15:22:49 -0000      1.506
+++ sys/net/pfvar.h     28 Apr 2022 16:22:44 -0000
@@ -1879,7 +1879,7 @@ int                pfi_dynaddr_setup(struct pf_addr_w
 void            pfi_dynaddr_remove(struct pf_addr_wrap *);
 void            pfi_dynaddr_copyout(struct pf_addr_wrap *);
 void            pfi_update_status(const char *, struct pf_status *);
-int             pfi_get_ifaces(const char *, struct pfi_kif *, int *);
+void            pfi_get_ifaces(const char *, struct pfi_kif *, int *);
 int             pfi_set_flags(const char *, int);
 int             pfi_clear_flags(const char *, int);
 void            pfi_xcommit(void);

Reply via email to