untrusted comment: verify with openbsd-66-base.pub RWSvK/c+cFe24I5I2I72DkCbljOpEpsyhUiH/cp+AgrHNNj6kkagedtZnYfVxv+pjs8j7F9V/gdHE7PkzihzbUijYow4b3hC6wg= OpenBSD 6.6 errata 006, November 16, 2019: A regular user could change some network interface parameters due to missing checks in the ioctl(2) system call. Apply by doing: signify -Vep /etc/signify/openbsd-66-base.pub -x 006_ifioctl.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install a new kernel: KK=`sysctl -n kern.osversion | cut -d# -f1` cd /usr/src/sys/arch/`machine`/compile/$KK make obj make config make make install Index: sys/dev/ic/an.c =================================================================== RCS file: /cvs/src/sys/dev/ic/an.c,v retrieving revision 1.73 diff -u -p -r1.73 an.c --- sys/dev/ic/an.c 19 Feb 2018 08:59:52 -0000 1.73 +++ sys/dev/ic/an.c 14 Nov 2019 14:49:58 -0000 @@ -902,6 +902,8 @@ an_ioctl(struct ifnet *ifp, u_long comma error = 0; break; case SIOCS80211NWKEY: + if ((error = suser(curproc)) != 0) + break; error = an_set_nwkey(sc, (struct ieee80211_nwkey *)data); break; case SIOCG80211NWKEY: Index: sys/net/if.c =================================================================== RCS file: /cvs/src/sys/net/if.c,v retrieving revision 1.588 diff -u -p -r1.588 if.c --- sys/net/if.c 21 Aug 2019 15:32:18 -0000 1.588 +++ sys/net/if.c 14 Nov 2019 14:49:59 -0000 @@ -2182,6 +2182,7 @@ ifioctl(struct socket *so, u_long cmd, c case SIOCDELMULTI: case SIOCSIFMEDIA: case SIOCSVNETID: + case SIOCDVNETID: case SIOCSVNETFLOWID: case SIOCSTXHPRIO: case SIOCSRXHPRIO: @@ -2195,6 +2196,33 @@ ifioctl(struct socket *so, u_long cmd, c case SIOCSPWE3FAT: case SIOCSPWE3NEIGHBOR: case SIOCDPWE3NEIGHBOR: +#if NBRIDGE > 0 + case SIOCBRDGADD: + case SIOCBRDGDEL: + case SIOCBRDGSIFFLGS: + case SIOCBRDGSCACHE: + case SIOCBRDGADDS: + case SIOCBRDGDELS: + case SIOCBRDGSADDR: + case SIOCBRDGSTO: + case SIOCBRDGDADDR: + case SIOCBRDGFLUSH: + case SIOCBRDGADDL: + case SIOCBRDGSIFPROT: + case SIOCBRDGARL: + case SIOCBRDGFRL: + case SIOCBRDGSPRI: + case SIOCBRDGSHT: + case SIOCBRDGSFD: + case SIOCBRDGSMA: + case SIOCBRDGSIFPRIO: + case SIOCBRDGSIFCOST: + case SIOCBRDGSTXHC: + case SIOCBRDGSPROTO: + case SIOCSWGDPID: + case SIOCSWSPORTNO: + case SIOCSWGMAXFLOW: +#endif if ((error = suser(p)) != 0) break; /* FALLTHROUGH */ @@ -2202,11 +2230,30 @@ ifioctl(struct socket *so, u_long cmd, c error = ((*so->so_proto->pr_usrreq)(so, PRU_CONTROL, (struct mbuf *) cmd, (struct mbuf *) data, (struct mbuf *) ifp, p)); - if (error == EOPNOTSUPP) { - NET_LOCK(); - error = ((*ifp->if_ioctl)(ifp, cmd, data)); - NET_UNLOCK(); + if (error != EOPNOTSUPP) + break; + switch (cmd) { + case SIOCAIFADDR: + case SIOCDIFADDR: + case SIOCSIFADDR: + case SIOCSIFNETMASK: + case SIOCSIFDSTADDR: + case SIOCSIFBRDADDR: +#ifdef INET6 + case SIOCAIFADDR_IN6: + case SIOCDIFADDR_IN6: +#endif + error = suser(p); + break; + default: + error = 0; + break; } + if (error) + break; + NET_LOCK(); + error = ((*ifp->if_ioctl)(ifp, cmd, data)); + NET_UNLOCK(); break; } Index: sys/net/if_spppsubr.c =================================================================== RCS file: /cvs/src/sys/net/if_spppsubr.c,v retrieving revision 1.179 diff -u -p -r1.179 if_spppsubr.c --- sys/net/if_spppsubr.c 24 Jun 2019 21:36:53 -0000 1.179 +++ sys/net/if_spppsubr.c 14 Nov 2019 14:49:59 -0000 @@ -873,6 +873,8 @@ sppp_ioctl(struct ifnet *ifp, u_long cmd break; case SIOCSSPPPPARAMS: + if ((rv = suser(curproc)) != 0) + break; rv = sppp_set_params(sp, ifr); break;