From 82d8999861ab5f22447b98b0b22dcdac96cfaddc Mon Sep 17 00:00:00 2001 From: mbuhl Date: Thu, 7 Apr 2022 19:27:24 +0000 Subject: [PATCH] Release PF und NET lock before calling copyin and copyout for DIOCXBEGIN. OK bluhm@ OK sashan@ Reported-by: syzbot+b22ec16c5bf937578937@syzkaller.appspotmail.com --- sys/net/pf_ioctl.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 865342f7e39..08931dec43c 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.377 2022/04/07 14:13:01 mbuhl Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.378 2022/04/07 19:27:24 mbuhl Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2481,11 +2481,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) NET_LOCK(); PF_LOCK(); pf_default_rule_new = pf_default_rule; + PF_UNLOCK(); + NET_UNLOCK(); memset(&pf_trans_set, 0, sizeof(pf_trans_set)); for (i = 0; i < io->size; i++) { if (copyin(io->array+i, ioe, sizeof(*ioe))) { - PF_UNLOCK(); - NET_UNLOCK(); free(table, M_TEMP, sizeof(*table)); free(ioe, M_TEMP, sizeof(*ioe)); error = EFAULT; @@ -2493,13 +2493,13 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } if (strnlen(ioe->anchor, sizeof(ioe->anchor)) == sizeof(ioe->anchor)) { - PF_UNLOCK(); - NET_UNLOCK(); free(table, M_TEMP, sizeof(*table)); free(ioe, M_TEMP, sizeof(*ioe)); error = ENAMETOOLONG; goto fail; } + NET_LOCK(); + PF_LOCK(); switch (ioe->type) { case PF_TRANS_TABLE: memset(table, 0, sizeof(*table)); @@ -2532,17 +2532,15 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EINVAL; goto fail; } + PF_UNLOCK(); + NET_UNLOCK(); if (copyout(ioe, io->array+i, sizeof(io->array[i]))) { - PF_UNLOCK(); - NET_UNLOCK(); free(table, M_TEMP, sizeof(*table)); free(ioe, M_TEMP, sizeof(*ioe)); error = EFAULT; goto fail; } } - PF_UNLOCK(); - NET_UNLOCK(); free(table, M_TEMP, sizeof(*table)); free(ioe, M_TEMP, sizeof(*ioe)); break; -- 2.20.1