mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-22 11:14:18 +01:00
bc06c51419
The SIOCDIFADDR{,_IN6} ioctls take an ifreq structure object, not an
ifaliasreq/in_aliasreq/in6_aliasreq structure object, as their argument.
As opposed to ifaliasreq/in_aliasreq/in6_aliasreq used by
SIOCAIFADDR{,_IN6}, the ifreq/in6_ifreq structures used by the
SIOCDIFADDR{,_IN6} ioctls do not include a separate field for a
broadcast address and other values required to add an address to a
network interface with SIOCAIFADDR{,_IN6}.
Whilst this issue is not specific to CHERI-extended architectures, it
was first observed on CheriBSD running on Arm Morello. For example,
incorrect calls using the in6_aliasreq object result in CHERI capability
violations. A pointer to the ifra_addr field in in6_aliasreq cast to the
ifru_addr union member of in6_ifreq results in bounds being set to the
union's larger size. Such bounds exceed the bounds of of in6_aliasreq
object and the bounds-setting instruction clears a tag of the object's
capability.
Reviewed by: brooks, kp, oshogbo
Accepted by: oshogbo (mentor)
Reported by: CHERI
Obtained from: CheriBSD
Differential Revision: https://reviews.freebsd.org/D46016
|
||
|---|---|---|
| .. | ||
| route | ||
| ktest_netlink_message_writer.c | ||
| ktest_netlink_message_writer.h | ||
| netlink_bitset.h | ||
| netlink_ctl.h | ||
| netlink_debug.h | ||
| netlink_domain.c | ||
| netlink_generic_kpi.c | ||
| netlink_generic.c | ||
| netlink_generic.h | ||
| netlink_glue.c | ||
| netlink_io.c | ||
| netlink_linux.h | ||
| netlink_message_parser.c | ||
| netlink_message_parser.h | ||
| netlink_message_writer.c | ||
| netlink_message_writer.h | ||
| netlink_module.c | ||
| netlink_route.c | ||
| netlink_route.h | ||
| netlink_snl_generic.h | ||
| netlink_snl_route_compat.h | ||
| netlink_snl_route_parsers.h | ||
| netlink_snl_route.h | ||
| netlink_snl.h | ||
| netlink_sysevent.c | ||
| netlink_sysevent.h | ||
| netlink_var.h | ||
| netlink.h | ||