[Midnightbsd-cvs] [MidnightBSD/src] 6b1343: The netmap_ioctl() function has a reference counti...

Lucas Holt noreply at github.com
Fri Apr 8 06:48:55 EDT 2022 

  Branch: refs/heads/master
  Home:   https://github.com/MidnightBSD/src
  Commit: 6b134390476fd676c38f4ee6b49bf932f20f02f6
      https://github.com/MidnightBSD/src/commit/6b134390476fd676c38f4ee6b49bf932f20f02f6
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2022-04-08 (Fri, 08 Apr 2022)

  Changed paths:
    M sys/dev/netmap/netmap.c

  Log Message:
  -----------
  The netmap_ioctl() function has a reference counting bug in case of
NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
the function does not decrease the refcount of "nmd", which is
increased by netmap_mem_find(), causing a refcount leak.

Obtained from: FreeBSD, commit hash 4019787f50a2826e9a4bba6e70868467b3d6081a


  Commit: d72ad9a8a4162a45c187e6006a2f3794324e5e8e
      https://github.com/MidnightBSD/src/commit/d72ad9a8a4162a45c187e6006a2f3794324e5e8e
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2022-04-08 (Fri, 08 Apr 2022)

  Changed paths:
    M sys/dev/netmap/netmap.c

  Log Message:
  -----------
  An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.

Security: CVE-2022-23085
Obtained from: FreeBSD, 606f528decc334d9a56ef760b0815c6d56060dbe


  Commit: 859fa109ba12cf89cd3060c99b99cf4deb4d172e
      https://github.com/MidnightBSD/src/commit/859fa109ba12cf89cd3060c99b99cf4deb4d172e
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2022-04-08 (Fri, 08 Apr 2022)

  Changed paths:
    M sys/dev/netmap/netmap.c

  Log Message:
  -----------
  netmap: Fix TOCTOU vulnerability in nmreq_copyin
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.

Security: CVE-2022-23084
Obtained from: FreeBSD, 725c70d8153f4bddf95bdd07e2c7b4b9399643f6


Compare: https://github.com/MidnightBSD/src/compare/ede0cbbaef12...859fa109ba12

More information about the Midnightbsd-cvs mailing list