[Midnightbsd-cvs] [MidnightBSD/src] 6a0468: The netmap_ioctl() function has a reference counti...

Lucas Holt noreply at github.com
Fri Apr 8 07:01:32 EDT 2022 

  Branch: refs/heads/stable/2.1
  Home:   https://github.com/MidnightBSD/src
  Commit: 6a04685fcd62844076217e4588cc85216588f0c9
      https://github.com/MidnightBSD/src/commit/6a04685fcd62844076217e4588cc85216588f0c9
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2022-04-08 (Fri, 08 Apr 2022)

  Changed paths:
    M sys/dev/netmap/netmap.c

  Log Message:
  -----------
  The netmap_ioctl() function has a reference counting bug in case of
NETMAP_REQ_PORT_INFO_GET command. When `hdr->nr_name[0] == '\0'`,
the function does not decrease the refcount of "nmd", which is
increased by netmap_mem_find(), causing a refcount leak.

Obtained from: FreeBSD, commit hash 4019787f50a2826e9a4bba6e70868467b3d6081a


  Commit: 20b3a4d9c0de287adf921393693e4486c86a3b29
      https://github.com/MidnightBSD/src/commit/20b3a4d9c0de287adf921393693e4486c86a3b29
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2022-04-08 (Fri, 08 Apr 2022)

  Changed paths:
    M sys/dev/netmap/netmap.c

  Log Message:
  -----------
  An unsanitized field in an option could be abused, causing an integer
overflow followed by kernel memory corruption. This might be used
to escape jails/containers.

Security: CVE-2022-23085
Obtained from: FreeBSD, 606f528decc334d9a56ef760b0815c6d56060dbe


  Commit: ebc96eef6315b29033cd62ea6b54a07598b57036
      https://github.com/MidnightBSD/src/commit/ebc96eef6315b29033cd62ea6b54a07598b57036
  Author: Lucas Holt <luke at foolishgames.com>
  Date:   2022-04-08 (Fri, 08 Apr 2022)

  Changed paths:
    M sys/dev/netmap/netmap.c

  Log Message:
  -----------
  netmap: Fix TOCTOU vulnerability in nmreq_copyin
The total size of the user-provided nmreq was first computed and then
trusted during the copyin. This might lead to kernel memory corruption
and escape from jails/containers.

Security: CVE-2022-23084
Obtained from: FreeBSD, 725c70d8153f4bddf95bdd07e2c7b4b9399643f6


Compare: https://github.com/MidnightBSD/src/compare/0dcc2b7d45ab...ebc96eef6315

More information about the Midnightbsd-cvs mailing list